I would go with "better safe than sorry" if I had to manage this sort of data. It might be fine so long as the URLs are all non-identifying stuff like the Wikipedia home page. But I bet I would have users with much more revealing bookmarks, like, say, their Keybase profile page, or URLs with session/auth tokens in query strings, or the home page of their church which has a congregation of less than 50 people.