That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.
I do not know, but the chances of this succeeding seem slim, because either by changing the receiving address, which I liken to a clipboard virus, or that the software that you downloaded is not official, otherwise I do not think that there is a way to QR phishing here.
Can hackers modify signed message? Or tamper with the content of master public key without downloading an unofficial version?
I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.
Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.