A segment of infosec became very concerned about new TLDs for .zip and .mov. The worry was how these familiar file extensions would be rich vectors for phishing.
I don't share that worry. If we're still relying on users to inspect URLs and decide they're safe or not, we're failing as an industry. People will click on links. Links are designed to be clicked on. Phishing countermeasures need to move on from thinking about visual URL parsing and more about countering the "post-click" consequences. This is why MFA and WebAuthn are important, as are browsers showing the visited domain, auto-updates, restrictions on downloads like the "mark of the web", and other controls that impede attacks that need user interaction.
If we're just going to focus on figuring out what makes a "safe" URL, we might as well implement RFC 3514.