I'm not sure how they get it at all, except via contact list mining. It makes sense that the doctor's phone number is part of her Facebook account. It does not make sense that her patients, who have not added her as a "friend" there, would nonetheless have explicitly told Facebook her number from their end. (I don't even think that's a thing you can do.)

Facebook will happily slurp your entire contact list even if you're not FB friends with all of them. And the algorithms almost certainly know and take into account having someone in your contacts as a way to build a graph of relationships.

Exactly. And, of course, there is not even a way to flag some contacts as private, or otherwise to be excluded from social graph analysis.

I mean, I guess you could keep those contacts in a note or some other record outside your contacts list, and just tap to call or email or whatever. But that only works as long as the Facebook app doesn't decide it needs access to that kind of record, too. And when you find yourself going that far out of your way to circumvent something that's installed on your phone, maybe it's time to think about whether that thing is more trouble than it's worth.

For several official numbers (local taxi company, local police station, local pizza place) I've been random people's names and facebook profile pictures be added to the phone contact where the app has been installed and asked to sync "profile pictures to contact list". This must be people on facebook that jokingly puts in one of these well known phone numbers in their profile, but these strangers then start to appear and take over otherwise reasonable "local pizza" type phonebook entries on completely unrelated people's phones...