[BillinghamJ]

Isn't that meant to be cryptographically paired? Apps shouldn't be able to intercept random domain names whenever they want

You'd need the right info at URLs like:

https://example.com/apple-app-site-association

https://example.com/.well-known/apple-app-site-association

https://example.com/.well-known/assetlinks.json (Android)

(which obviously don't exist for this domain)