Thanks for the answer. I have researched this a little bit more and found that you are about half right ;-)
Unfortunately as you can see the Java code only calls getActionURL() and fails to call ExternalContext.encodeActionURL().
I will create an issue for facelets, but doubt that it will be fixed in the foreseeable future.
There's another bug (a simple typo) that prevents the default facelets debug page to function correctly (the root node for the component tree never expands). That bug is about a year old.
Maybe Seam could include an improved version of ui:debug?
I'm not sure that would be very appropriate for seam. I'm looking now to see if I can override the getActionURL code to perform rewriting. I don't know if that's reasonable or if it's even correct in the larger sense, but it would solve at least some of these cases where getActionURL is called without calling the servlet encodeURL.