There have been instances of .es used as vanity domains being requested for deletion: https://www.namepros.com/threads/recepi-es.943453/ so I would be cautious.
Edit: here's the full legal regulation regarding the use of the domain, but sadly it's only in Spanish: https://www.boe.es/boe/dias/2005/05/31/pdfs/A18170-18175.pdf
2. https is a must if it is to be successful
3. I entered a custom url like_this and it was automatically changed to like-this, which is nice, but was very confusing, since I couldn't later find the page. I think it would be better to just tell me that I included some characters that are not allowed. Same with dots, which got me while trying to create robots.txt ;)
The use of unencrypted HTTP is probably deliberate to allow it to be used on even very dumb devices like feature phones (see http://txti.es/images/images) and to remove the 1 to 2-RTT latency penalty for TLS 1.2 connections since that can matter when your connection latency is on the order of seconds.
