In terms of the transport, sure.
But if you put the password in a URL, the user’s browser is going to turn around and store that plaintext password in its history, then sync it to the user’s other devices, and then pop it up on their screen in the address bar autocomplete, perhaps when the user is screen sharing or streaming to hundreds of people. The browser does not expect a password to be stored there and will mishandle it.
No?
I mean, how else are you meant to play the game actually?
I guess you could be like opening ports just to particular IPs. And you need a game that isn’t Swiss cheese that gets immediately hacked.
But like hackers don’t sort of seep in through port forwards; they need to physically identify and exploit a particular vulnerability.