In general blacklists are a better choice overall for non-technical users. Do you really want an angry text message or phone call every time $FAMILY_MEMBER has some site that's rendering poorly because they haven't properly whitelisted one of the 12 legit domains it hits? And do you really trust them to not whitelist some ad & tracking domains?

Presumably, $FAMILY_MEMBER would have to get past the phone number whitelist too. So it might not be that bad.

Not sure why you were downvoted, but this is correct. Facebook (or anyone else) can easily create more domains.