But if you put the password in a URL, the user’s browser is going to turn around and store that plaintext password in its history, then sync it to the user’s other devices, and then pop it up on their screen in the address bar autocomplete, perhaps when the user is screen sharing or streaming to hundreds of people. The browser does not expect a password to be stored there and will mishandle it.
It’s safe for https.
In terms of the transport, sure.
But if you put the password in a URL, the user’s browser is going to turn around and store that plaintext password in its history, then sync it to the user’s other devices, and then pop it up on their screen in the address bar autocomplete, perhaps when the user is screen sharing or streaming to hundreds of people. The browser does not expect a password to be stored there and will mishandle it.