I am not sure why it's relevant whether methods are supported by GUI browsers at all (please refer to URIs by method, not "protocol"); because the security.txt is likely to be parsed automatically (since it is, of course, not HTML) and indeed, "tel:" and "mailto:" are both somewhat apt methods to be invoked by a company who's hiring/receiving reports, and doesn't want/need a website for it.
So yeah, it is important that this part of the RFC specify a difference between "web" and "non-web" URIs, because the authors of security.txt are free to use any URI method that makes sense.
SFTP (sort-of-FTP over SSH) was never browser supported afaik.
I'm not sure about FTPS (FTP over SSL/TLS), did browsers support it when they supported regular FTP?
HTTPS is probably the only protocol which is guaranteed to show content from the claimed source.