should torbrowser enable network.IDN_show_punycode by default?
Firefox and torbrowser do not show punycodes by default.
The attack vector is discussed here, including a demo:
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information