I light of the new .zip domains and how they are used to trick people, I wonder if there is a way to configure Brave to not allow @ in URLs.
This would stop the trick used with the .zip domains, and also do that you cannot transfter unsername/password in the URL. But I do not use that feature.