Google Fi, and Mint Mobile are two MVNOs that claim to prevent again sim swapping [0][1]. Mint Mobile offers TOTP, and Google Fi is linked to your Google account, so you can add U2F/TOTP MFA.
However, would it still be possible for a T-Mobile retail employee to hijack a Google Fi, or Mint Mobile number? Both MVNOs use T-Mobile for their backend, but Google Fi uses US Cellular as well. There have been documented cases of retail T-Mobile employees conducting sim swaps. There has also been documented cases of Mint Mobile users getting sim swapped [2][3][4][5][6]. So, are MVNOs really not vulnerable to sim swapping? If so, is VOIP services like Google Voice the only secure alternative [7].
0. https://support.google.com/fi/answer/9834243
1. https://old.reddit.com/r/mintmobile/comments/jw21qf/how_does_mint_prevent_sim_swapping/
2. https://old.reddit.com/r/mintmobile/comments/113dyvi/sim_swap_a_few_days_ago_day_3_of_still_not_having/
3. https://old.reddit.com/r/mintmobile/comments/t4g4g3/i_just_got_sim_swapped_and_im_terrified_this_was/
4. https://old.reddit.com/r/mintmobile/comments/nw4gth/just_got_sim_swap_hacked/
5. https://old.reddit.com/r/mintmobile/comments/jw21qf/how_does_mint_prevent_sim_swapping/
6. https://old.reddit.com/r/GoogleFi/comments/10qes3h/at_least_one_google_fi_customer_had_accounts/
7. https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/
As long as humans are allowed to "override" settings in the systems, none would be "invulnerable". More difficult, maybe, but not "invulnerable".
If a t-mobile employee with the right access to t-mobiles database can reassign a t-mobile number (even if that number is used by a MVNO) then there is always a risk that an employee can be bribed or be in on the heist.