OpenURI portal w/o user granting permission

[Stephan Bergmann]

At least with a recent build of xdg-desktop-portal and 
xdg-desktop-portal-gtk, sending an 
org.freedesktop.portal.OpenURI.OpenURI request does not always involve 
the user granting permission first:  For example, if the given uri 
argument is in the form of a valid http URL, it is passed directly to 
the browser to open it.  (Only if the argument is of some non-URL form a 
"Select application" dialog comes up.)  Isn't that a privacy and 
security issue?