The "unreserved" characters are generally "safe" to use:
2.3. Unreserved Characters
Data characters that are allowed in a URI but do not have a reserved purpose are called unreserved. These include upper and lower case letters, decimal digits, and a limited set of punctuation marks and symbols.
Unreserved characters can be escaped without changing the semantics of the URI, but this should not be done unless the URI is being used in a context that does not allow the unescaped character to appear.
For details, see the cited document.
[added] Use of other characters is not "illegal" per se, but the client and the server will send them as escaped hex-encoded entities. For example, a space is sent as "%20" -- which looks awful in the browser address bar, is very difficult to remember and to type, and should therefore be avoided. [/added]
[edited by: jdMorgan at 10:19 pm (utc) on Sep. 7, 2007]