This is why I've never scanned a public QR code. I wouldn't trust this random qr code to open a link on my phone. Which is unfortunate because I can see how it makes things easier for restaurants
The grapheneos camera shows you the link when you scan a qr code and then its up to you to decide to go to the site or not. It makes scanning qr codes safer then apps that automatically open scanned links.
This made me realise it would probably be trivially easy to make QR code stickers that first lead to a phishing page (please enter your payment details) followed by a link to a restaurants actual online ordering page.
Those restaurant ordering apps look so dodgy anyway I bet a quarter of people wouldn't suspect a thing.