This is a subtle bug: https://go.dev/play/p/LZdsnzZkgKH

With QueryEscape() spaces are encoded to +

With PathEscape() spaces are encoded to %20

Affects a few other characters too, but space is clearly the most likely use-case that could be hit.

I think its safe to assume TUF is targetting the URL paths, not queries. Therefore correct handling by HTTP servers is only really assured when using PathEscape().

RFC 3396 Section 2.3 : https://www.rfc-editor.org/rfc/rfc3986#section-2.3

PR #675