@boblord Wow that was quick, glad I could help!
I've been doing infosec for ~20 years but I only realized recently we communicate wrong after some relatives fell for QR-based scams and had to walk them through what happened.
I agree that determining risk is incredibly hard in this case and TBH I think "don't trust QRs" may be more effective than trying to teach everyone URLs, DNS and PKI...