That is not correct. For example, Mozilla takes a white list approach where they add TLDs that have registration policies that limit the risk of phishing (which is most of them).

http://www.mozilla.org/projects/security/tld-idn-policy-list...