No, Flask generates URLs properly URL encoded; demoing with an existing application:
>>> with app.test_request_context('/'):
... print url_for('core.city', city='new york')
...
/new%20york
Your browser on the other hand may elect to show such URLs decoded for ease of reading.
url_for()
quotes input to be URL-safe; encoded URLs cannot contain values that could be interpreted as HTML, so you are safe there as far as user-supplied values are concerned.