"Google's customers service is _so_ fucked even the most dedicated social engineers with the biggest of whales in their sights can't get them to do a fucking thing."
And what's unfortunate is that you're probably right!
Telcos do not secure phone numbers to banking grade security, because they never agreed to be part of anyone's critical security posture, and their own incentives are to make it as easy and quick as possible for customers to move their phone numbers around. It's in the telco's interest for you to be able to walk into a $TelcoBrand store and walk out with a functioning device with your old number. (Or to call up their support line and do the same thing.) They never offered to make that more difficult than it needs to be just because companies like PayPal wanted to outsource security to be somebody else's expense. They've been actively recommending against it since forever:
Are you kidding? Banks do a terrible job. Just one data point: «Losses from [bank] account takeovers hit $5.1 billion last year, a 120 percent increase over 2016» https://www.aarp.org/money/scams-fraud/info-2018/thieves-tar...
The technical name for a SIM card is UICC (Universal Integrated Circuit Card IIRC). eSIM is eUICC. The next step is iUICC, for an integrated on die function. There is no separate chip then, it's integrated in the modem SoC. But the way it is standardized (on-going) the iUICC must run in a secure enclave, with similar security level as current discrete SIM cards. So again, no real difference: a iUICC will behave as an eUICC one from an end user point of view. The operator do not want to reduce the security of their UICC.
If you order an eSim in someone's online account, you can activate it. Done. hacked.
With a normal SIM card it will be sent to your home/office. Unless someone changed that somehow.
Then there are two variants of eSIM, for M2M and for consumer devices.
With the consumer variant the profile is requested from the target device itself. So you must own the device to install a new profile, and also have the needed credentials. So this is more than inserting a physical SIM today, where you also need the device but there's no local credentials and no SIM/device mapping.
For M2M, the profile is explicitly pushed to a specific device, which is remotely managed.
Always remember, there's another computer inside your phone, the UICC computer, it contains software from the past, written by hardware people who've never heard of security, no one's looked at the code for bugs, and it controls your phone.
In conclusion: buy a tablet
There is typically a default bootstrap profile, to provide just enough connectivity to get started and choose your actual operator. And then this operator profile will be installed too. But the system is more generic, and could store more profiles. At least in theory, in practice there is a cost to generating a profile so this is only done if there is a real need.
This article / link describes this and a possible other attack (also an applet on the SIM card, calle Wireless Internet Browser (WIB)) AND a way to test if your sim card is vulnerable plus mitigation measures (hint: do not allow MSL (Minimum Security Level) zero).
But who knows if PINs are visible to ATT employees, and what verification they do in case PIN is forgotten. It’s all moot if any ATT employee can reset it without a significant paper trail.