Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.
https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/
Here are some of the applicable RFCs:
(Score: 2) by requerdanos on Sunday March 11 2018, @05:51PM
Only, as you mention, if your native language doesn't use non-ascii characters; otherwise punycode turns readable domains into machine-readable but human-unreadable gibberish, effectively removing the feature of "The domain of the current site appears in the address bar" for all sites whose domains are in your native language.
The gibberish may be "meaningful," but a string of "meaningful numbers and letters" in lieu of a human-readable name does not go easy on the eyes. It could arguably make spoofing easier; if someone is checking to make sure that the site is displayed as punycode gibberish, then they are not going to recognize a spoof site which also shows up as gibberish unless they compare character-for-character the punycode itself. That isn't really a part of anyone's workflow, and a kludge that requires that is a workaround, but no solution.