In general, I think it's expected that Emoji characters can display in the non-hostname portion of the omnibox. Can you elaborate on why you believe this to be a security vulnerability?

I'm not doing it as a professionalist, so I can't explain it properly, but it is potential gate for hacker.
It is new I/O channel (between hacker and user/browser), which isn't needed (risk is higher, than it could be).
I'm sure, that if someone will think about it, he/she will find a way, how to use it for evil purpouses.
For e.g user can think, that it is an virus/bug, So he will reinstal or restart chrome (do what hacker wants him to do). 

I have a better case.
Imagine:
- Person A is an old woman, which is using chrome, but she had no idea how things works in a internet world.
- Person B is an hacker, that is good in psychology.
- He is posting such (properly works) link, under which You can find some info about Jesus Christus.

1. Old Woman is pasting link.
2. Old Woman (or someone from her family) is erasing emots.
3. Now links provides to fake bank site.
4. Old Woman had bils to pay, So she decide do do it now.

You can imagine what is happening next.
This "feature" is leading to much of Such cases... 
I would also notice, that this feature was not planed (it is unusefull), so it is not what developer wants to do - its a bug that can be in the future "a bug in the system".

Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Since this is is non-hostname portion, it is not a security vulnerability. Removing emojis will still remove it from non-hostname portion.

Check Your def. of "security vornulabilty" ;) 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot