Use backup verification codes and a recovery email address.
Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.
What you can do with email is move the problem to your most secure account or to an account that you know how to recover under essentially all circumstances.
As I mentioned before that it's just convenience. SMS based authentication is flawed and is also prone to SS7 Attacks but people just do it because it's simple. Nothing in the world is hack proof
Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.