Whitelist is easier. If I added an mail of a friend in this system, we can communicate. Everything else goes blackhole.
Nothing is easy about email! Having worked for years just to get reliable in and outboxes is definitely not trivial. Also SMTP is a system out of your control if you want anything verified and actually delivered.
Of course whitelist is easier, but how valuable would your email be if you only allowed your friends to email you? Goodbye order confirmations, subscription reminders, recruiter emails, notifications…
Sounds like a dream, really. And you could always have it be user-driven action, like "Copy this line and paste it into your email provider's whitelist", framing it as a positive win for the user since they have total control over who is allowed to communicate with them.
I do want arbitrary people to reach out to me regarding my home page for example, so any just-allow-whitelisted-messages proposals are useless in that regard.
And in practice some minimal address obfuscation has been enough to block any address harvesters, and setting up a contact form or something comparable (and I guess especially also subsequently keeping it spam-free!) would have been much more of a hassle.
Nothing is easy about email! Having worked for years just to get reliable in and outboxes is definitely not trivial. Also SMTP is a system out of your control if you want anything verified and actually delivered.