I don’t know if this will help anyone avoid this scenario in the future, but this issue has bitten us.
Here’s what happens: If a non-verified account contributes to a deployment owned by someone who is verified, they will immediately be locked out of their own account:
Error: input:3: createRelease Your account has been marked as high risk. Please go to https://fly.io/high-risk-unlock to verify your account.
I haven’t found any way to resolve this. Thankfully this is a small scale hobbyist scenario, but this could have been a nightmare in a business setting.