closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.
Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.