& as an escape character only applies to text nodes. Of course, if you want to display the URL on a page, you have to escape it, but not in the href.
That is incorrect. Entities apply to attributes.
In HTML escaping & is kind of optional and the browser just tries to figure out what you mean, but if you are doing things properly you should use & in href attributes.
You're supposed to escape & anywhere in HTML, not just in text nodes. If you don't (and many don't) it'll probably work, but browser first tries to interpret it as a start of an entity anyway. Even if it is inside a href etc.
I just found out you may - even in current HTML use entity references in attribute values, it’s just you don’t have to anymore, when the ampersand is not ambiguous.
The spec states it as: “Attribute values are a mixture of text and character references, except with the additional restriction that the text cannot contain an ambiguous ampersand.”
Whereas in the the days before HTML5 this has been mandatory.
> HTML 4.01 Specification – Appendix B.2.2 “Ampersands in URI attribute values”
https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
> Unfortunately, the use of the “&” character to separate form fields interacts with its use in SGML attribute values to delimit character entity references.