My bad, my main point is that likely the most restrictive would be one of the corporate/private TLDs that are for internal use mainly. .xyz was a bad example. Maybe better is .bananarepublic
There's literally hundreds of new gTLDs like this that only have the one required nic.tld on them and nothing else (because they haven't launched yet and might never). My team runs a couple dozen of these.
For comparison's sake, we should probably restrict ourselves to legacy gTLDs, ccTLDs, and open, launched new gTLDs.
For comparison's sake, we should probably restrict ourselves to legacy gTLDs, ccTLDs, and open, launched new gTLDs.