placeholderFormat should use always href=":var" to filter insecure protocols as a best practice in core

We should use href=":link" instead of href="@link" as a best practice in core.

href="@link" is insecure in some cases because it's not filtering insecure protocols.

We should use href=":link" to prevent creating insecure code when developers copy&paste code from core.

I know that code like this is safe:

<a href="@drupal"> Drupal.org </a>. ', [' @drupal '=>' https://drupal.org ']

but I think we should also use :drupal as a best practice in core, using always the secure variant to prevent copy&paste mistakes.