Usually the parameter you put in your url looks something like this:

api_with_token:
  path: '/api/update-user/{token}'
  defaults: { _controller: App\Controller\UserController::update }
  methods: [POST]

With this there is no way for your parameter to include a /. If you call the url /api/update-user/my/token the route will simply not be found.

But there might be use cases where this might be necessary. A token might be one if you can't make sure that there are no problematic characters in there. For this you can define a requirement which allows for all characters including a slash:

api_with_token:
  path: '/api/update-user/{token}'
  defaults: { _controller: App\Controller\UserController::update }
  methods: [POST]
  requirements:
    token: .+

The url doesn't even have to end with / before you can start the token, you could also use it with /api/redirect-to{url} and call a url with /api/redirect-to/api/update-user/8ba5afde-169e-4477-8adf-1e286ca996e0. This would then provide the controller with a parameter $url with the value /api/update-user/8ba5afde-169e-4477-8adf-1e286ca996e0.

As you can imagine there's a lot of magic use cases possible through this. So be careful that you don't put in to much magic.