More details at https://github.com/quarkusio/quarkus/issues/34522.

Given the below code:

final UriBuilder builder = UriBuilder.fromUri(baseUri)
        .queryParam("redirect", "/web-app/rest/secure/test?user=me");
final var uri = builder.build();

This should produce:

http://localhost:8080/web-app/rest/test?redirect=%2Fweb-app%2Frest%2Fsecure%2Ftest%3Fuser%3Dme

However, it produces

http://localhost:8080/web-app/rest/test?redirect=%2Fweb-app%2Frest%2Fsecure%2Ftest?user%3Dme

Note the test?user instead of test%3Fuser.

At a guess given the following comment from https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 I think this is likely why the ? was not encoded:

However, as query components are often used to carry identifying information in the form of "key=value" pairs and one frequently used value is a reference to another URI, it is sometimes better for usability to avoid percent-encoding those characters.

I suppose this makes it debatable whether or not this is a bug. However, as mentioned in the Quarkus issue the Apache URIBuilder does encode the value. Other tested implementations of the Jakarta REST spec also escape the character in a UriBuilder.