@ariadne pardon my ignorance here, but both urls point to github.com using https. And that would pass on the rest of the URL to the web server at github who would then return results with a certain content type. So why would either represet a risk unless you are using some Microsoft web browser that does stuff it shouldn't? Normally, the @ in a URL would be right after the host name to include username/password combination, But after the first /, it would be passed as the "GET" to web server
@jfmezei@mstdn.ca now compare the slashes in front of github.com to the ones after it.
(That different kind of slashes are allowed in URLs seems like the core problem to me, not .zip domains.)