Thanks a lot for reporting this and especially for providing a unit test. That is a problem I will fix today. In general however, the aim is to get rid of the normalizeEndpointUri. It is used because the uri design for some components allows the creation of invalid URIs that cannot be passed, so using it was a workaround in the first place (from almost the very beginning). The endpoint creation is quite convoluted and is due for some refactoring anyway, but I thought it could wait until 3.0.
The goal for 3.0 is to ensure that all components only accept valid URIs, so it's the responsibility of the user to encode whatever needs encoding, as it the case with any other technology the uses URIs. There is a new method a component can override now, preProcessUri(String) that would convert (and log) the original invalid Uri into a valid one, which could be used instead of the original one. This should also help with migration.
On a side note, using clear passwords in the uri is not the most secure thing to do. You may want to take a look at camel-jasypt. It may provide a different, safer, workaround.