> This is more restriction than necessary, and unkind to users who may be technically unsophisticated, distracted, sick that day, or just kinda dumb.

Couldn't disagree more. By sending outbound links in notifications we're only perpetuating the idea that it's OK to click those in the first place. It's hardly any more difficult to just open your browser yourself. I also don't like the idea that we're not willing to accept the absolute mildest of inconveniences, when on the flip side we have loads of stories of people's lives being completely ruined when their life savings are stolen by scammers. It'd be like telling people not to lock their doors because that adds 5 seconds to the time it takes to enter your house.

It's a mild inconvenience to you, to some number of your customers, it will mean they never follow-up on whatever presumably important message you were sending them.

Keep telling people not to click on links, ever. The ones who listen, and are paranoid about taking that advice literally, will look the company up on a search, or copy-and-paste the link instead of clicking it.

If I get a link from a company I have an account with, and the link is from their URL, I'm going to click it. I'll also check to make sure there wasn't some kind of redirect or Punycode involved.

But you're not helping your customers by refusing to provide them with an important affordance just because scammers might do something similar. That kind of logic doesn't help anyone, because "anyone" breaks down into two groups: the ones who click, and the ones who don't. The ones who click get to resolve the problem, the ones who don't have to do a search first, exactly what you're suggesting forcing everyone to do.