You can put a customer service password on your tmobile account to avoid anyone calling customer service without that password to make any changes. This is separate from your online portal password.
That still doesn't fix the compromised employee problem. If they can match your identity with your phone number, and have full access to t-mobile they can sim swap. Sure, Google could have compromised employees, but I trust Google's security, especially their internal security, much more than T-Mobile.
