Honestly why is that a problem? If a TLD gets confused for a file extension your browser has a serious bug.
We've had .com, .info, .ai, .app, .sh, .st, .pl, .so, and many other TLDs that are the same as existing file extensions for years now and it's never been a problem.
The vulnerability still lies within the browser in this scenario. It should actually be somewhat trivial for all the major browsers to prevent this sort of attack.
This is obsolete functionality, I can't remember the last time I needed to authenticate to a website using the username@domainname.tld functionality. It should be something hidden behind a config: setting to turn on if you run into a legacy website still requiring it and know exactly what you're doing.
The point is that no-one was asking for a .zip TLD. It's common sense to not make one. "We should break backwards compatibility on the web so that Google can sell a TLD" is not a defensive viewpoint.
We've had .com, .info, .ai, .app, .sh, .st, .pl, .so, and many other TLDs that are the same as existing file extensions for years now and it's never been a problem.