oh yeah, the whole STIR/SHAKEN thing is because calls and sms are essentially email: the sender just includes metadata saying who they are. Without any additional work you can a given call/message can claim to be whoever you want. This would be fine if carriers actually required it to be correct, but intrinsically if a call comes in to your carrier from another carrier your carrier has to trust the originator actually enforced this. But there are carriers whose primary market is "marketing companies", and so they are not ... careful ... about ensuring the originator isn't spouting nonsense. The FCC just recently told all major US carriers that they were required to drop connections from a couple of such carriers.

I'm sure there's a more complexity in how this actually all works in the real world, but this is my basic high level understanding of it.