I am not sure why it's relevant whether methods are supported by GUI browsers at all (please refer to URIs by method, not "protocol"); because the security.txt is likely to be parsed automatically (since it is, of course, not HTML) and indeed, "tel:" and "mailto:" are both somewhat apt methods to be invoked by a company who's hiring/receiving reports, and doesn't want/need a website for it.
So yeah, it is important that this part of the RFC specify a difference between "web" and "non-web" URIs, because the authors of security.txt are free to use any URI method that makes sense.
So yeah, it is important that this part of the RFC specify a difference between "web" and "non-web" URIs, because the authors of security.txt are free to use any URI method that makes sense.