I suggest to double check everything regarding charsets.
Looks like there is tough work ahead
Formerly restricted charcodes are now allowed. Its not just a “similar lookin domain” problem, end user could be rightfully typing a wrong uri. (ie. SYRIAC SUPRALINEAL FULL STOP)
Besides IDNs, even young/old highly skilled coders miss this obscure concept, a russian hyphen may pass the string validation without being the same “bytecode” .
Simply put: A russian keyboard config may not input the same hyphen expected in the core, but middleware (app) validating it as the same as the common -