Problem/Motivation
LinkTypeConstraint::validate does not do access checking. It is possible to link to paths the user can not access. This is information leakage (especially in the presence of pathauto or similar). This behavior is tested(!) in LinkFieldTest by adding a link to admin which the test user can not access.
Also, in older Drupal you could not add a menu item if you didn't have access to it. Now you can.
Proposed resolution
Change Url::createFromPath to default to the access aware router. Add an option to opt out and use it for Shortcuts so that shortcut / standard profile installs.
Remaining tasks
Patch + test Url::createFromRequest too.
User interface changes
As in Drupal 6-7, you can not link to something you can't access.
Field link items store the system path (route name+parameters, actually) but the default widget shows paths aliased irregardless of whether they were entered with an an alias or not. Given that's how Drupal displays them that seems the right behavior. D7 stored the system path too. Storing the alias would require a mass change in stored links if we were to store the alias.
API changes
Url::createFromPath now throws AccessDeniedHttpException. Catch as necessary.