Wouldn't E2E encryption of a call with 40 participants require each user to have 39 times the upload bandwidth, in order to send 39 video streams encrypted with different keys? And potentially several times the computational cost on the client, in order to downsample video according to the different available download bandwidth of every other participant?

Is there anyone doing group videoconferencing with E2E encryption, for more than a handful of participants?

Typically, the central server does not transcode. Participants simulcast a few bitrates, and the central server forwards to each other participant the sub-stream with the appropriate bitrate for the bandwidth capacity of that participant. This is compatible with E2E encryption, by individually encrypting each sub-stream. Participants can share a session key that is unknown to the central server.

FaceTime supports group calls and claims E2E encryption for them. WhatsApp does too, I believe? I'm not sure how many participants you can have.

>Wouldn't E2E encryption of a call with 40 participants require each user to have 39 times the upload bandwidth, in order to send 39 video streams encrypted with different keys?

I think you use public key cryptography to securely distribute an encryption key for that call. So the host sends 39 messages encrypted with different keys containing a shared key. Then everyone uses the shared key to encrypt/decrypt the call data.