I think part of the reasoning was down to there being a lot of Unicode characters that look identical to ASCII ones, and that it would make creating legitimate looking domains for phishing a lot easier.
My understanding is that punycode wasn't originally meant to be used by humans. It was just the workaround used to encode non-ASCII names in ASCII-only DNS records.
Later browsers decided to show punycode in the URL bar instead of the decoded value in an effort to fight phishing until "they have a better solution". e.g.
Later browsers decided to show punycode in the URL bar instead of the decoded value in an effort to fight phishing until "they have a better solution". e.g.
https://bugzilla.mozilla.org/show_bug.cgi?id=282270