The URL specification (RFC 1738, December '94) poses a problem because it restricts the use of permitted characters in URLs to only a limited subset of the US-ASCII character set.
HTML, on the other hand, allows the use of the entire ISO-8859-1 (ISO-Latin) character set in documents - and HTML4 extends the range to include the entire Unicode character set, In the case of characters other than ISO-8859-1 (characters above FF hex / 255 decimal in Unicode), they simply cannot be used in URLs, as there is no safe way to specify character set information in the contents of the URL but [RFC2396.]
URLs must be encoded throughout the HTML document referenced by the URL to import the object (A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER , LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH and TR.)
Security is not the point. As already noted, HTTPS should be used when necessary.