@boblord I agree with your post and also that scanning QRs is not the problem (as stated on Hacklore).
Now that I look more into it, I think I found what's been bugging me about this point. It seems that QR is the only part where Hacklore expects extra work from the user:
"which is mitigated by existing browser and OS protections, and by **being cautious** about the information you give"
... but the recommendations don't say anything about how to "be cautious", while scams initiated via untrustworthy channels are a very real problem.
I think this should deserve a recommendation bulletpoint with at least some rules of thumb. I'm thinking along the lines of:
"If you are contacted via $untrused_comms to give out $sensitive_data, reject the request and initiate the contact yourself via $known_good" (may be simple enough to work if phrased carefully?)