My impression is that all the major browsers show these links as punycode for security reasons. What is the point of these then? Is punycode defaulted to "off" in some countries? Wouldn't that just create two classes of users, one more vulnerable to phishing than the other?
It looks like if you add Arabic as a language in Chrome, domains aren't converted. (And actually it will change http://xn--ggblala6cyf.xn--wgbh1c/ to ستفتاء.مصر in the address bar.)
That is not correct. For example, Mozilla takes a white list approach where they add TLDs that have registration policies that limit the risk of phishing (which is most of them).
Logically, one would think your native language's script would automatically get "whitelisted" and rendered properly, while everything else is punycoded as usual.
Even the TLDs aren't actually in the native script, they are punycoded in the spec. https://en.wikipedia.org/wiki/Internationalized_domain_name#... So the new TLD of فلسطين is really .xn--ygbi2ammx and both inputs will work, you can just use whichever is easier for you to type.
