For anyone wanting more knowledge about QR codes, this article might be useful-- https://usa.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan
It is from the perspective of a private international cybersecurity company,
Also just be aware that QR codes can be used maliciously. QR code as part of museum copy on an exhibit case doesn't concern me, but I'm wary of QR codes in the wild or a random code printed on a sheet of paper and taped over another.
Attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned. It is also possible to embed a malicious URL into a QR code that directs to a phishing site, where unsuspecting users could disclose personal or financial information.
Because humans cannot read QR codes, it is easy for attackers to alter a QR code to point to an alternative resource without being detected. While many people are aware that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device. Aside from opening a website, these actions can include adding contacts or composing emails. This element of surprise can make QR code security threats especially problematic.
A typical attack involves placing malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page which could host an exploit kit, leading to device compromise or a spoofed login page to steal user credentials. Some websites do drive-by downloads, so simply visiting the site can initiate a malicious software download.
Mobile devices, in general, tend to be less secure than computers or laptops. Since QR codes are used on mobile devices, this increases the potential risks.