Is opening desktop app using custom url protocol (url scheme) safe and won't be blocked by Salesforce?

There's nothing wrong with this approach. Your custom protocol is no different than mailto: or ftp:. There's also a tradition of making a custom protocol for your application so that you can craft URIs that open into the app (Spotify and Slack come to mind for this).

I don't see Salesforce ever blocking this functionality because, in order to do that, they would need to prevent the URIs with these protocols from ever reaching the client.

Your approach is generally safe. I say generally because this application is only available to users in this Salesforce environment, they will need to have the program installed on their device and have their device configured to have these URIs open into the program, and their browser will ask them if they want to open a clicked link in the other application. All that considered, depending on the content of the URI, it may be possible to craft one that causes the application to open and do something the user doesn't intend (say through a cross site scripting attack).