The vulnerability still lies within the browser in this scenario. It should actually be somewhat trivial for all the major browsers to prevent this sort of attack.
This is obsolete functionality, I can't remember the last time I needed to authenticate to a website using the username@domainname.tld functionality. It should be something hidden behind a config: setting to turn on if you run into a legacy website still requiring it and know exactly what you're doing.
The point is that no-one was asking for a .zip TLD. It's common sense to not make one. "We should break backwards compatibility on the web so that Google can sell a TLD" is not a defensive viewpoint.
This is obsolete functionality, I can't remember the last time I needed to authenticate to a website using the username@domainname.tld functionality. It should be something hidden behind a config: setting to turn on if you run into a legacy website still requiring it and know exactly what you're doing.