Description
The following does pass as valid URL (just had a real user entering something like this):

http://me@example.com

In reality, the user just entered their email address. Symfony's UrlType::class prefixed http://, and the Url constraint accepts this by treating me as the "userinfo" part of the URL (see RFC 3986).

So I'm suggesting an option to forbid "email-like" URL's, i.e. don't accept usename/password before the doman, i.e. forbid any @ character. This is somewhat related to #39986, in the sense that an option named public_url could solve both issues.