Do you have any concrete wording in mind?

No, I don't, sorry.

I think we have to separate between the constraint @URL and its constraint validator implementation

Hhmm, true, that's a good point. Still, the constraint makes certain promises (must do so) as for the valid data range. The chosen implementation must adhere to that. Hence, I see the Javadoc of the constraint as a set of requirements for the validator implementation. If the constraint documentation claims that it ensures all values conform to RFC2396 then the validator implementation must fulfill that.