Most of my signal contracts are also unverified (my nerd friends are). However, I am notified if their key changes, so unless our connection was MITM'd on first contact, I would at least have a warning and know to be more suspicious. Usually I'll follow up with people out of band to verify that they got a new phone or something. This happens infrequently enough that it is not a hardship.
I'd prefer to verify all of my contacts but, given my security model, this is good enough and a huge step up from email.
All of my Signal/Telegram/WhatsApp contacts are unverified in the app itself, but almost all of them are de facto verified by other means; we plan meeting up at bars and I know who I'm chatting with because the person I expect shows up. Or we send emails or communications via other means and the conversations match.
I don't need to verify the code because everything else about the communication matches.
You need to enable security notifications, and you will be notified of key changes.
> Turn on this setting to receive notifications when a contact's security code has changed. Your messages and calls are encrypted regardless of this setting.
I don't use Whatsapp, so I don't actually have first-hand knowledge. Now that I think about it, it may be that I was told that it automatically regenerates the key more often than they need to, which would have the same effect.
I don't believe this is true. Every time I've asked about a key change, it has been because someone either got a new phone, reinstalled the app, or reset their phone.
I'd prefer to verify all of my contacts but, given my security model, this is good enough and a huge step up from email.