This is the best heuristic to apply not just for QR code scanning, but for pretty much everything. To avoid malware, avoid the Play Store.
When using f-droid, also check out the project web site and git repo (at least in a cursory way, even if you can't fully audit the code, you can get a sense of who the developer is and the project's overall health from the commit log and issue tracker).
It's not truly safer. It's just smaller, and only has open-source apps. So it's harder to hide malware, but still certainly possible (nobody checks most apps).
The issue is the "finely curated" statement. It's not a full code review, just "Wherever possible, applications in the repository are built from source, and that source code is checked for potential security or privacy issues. This checking is far from exhaustive though, and there are no guarantees."[1] After an app is added to F-Droid it gets built from source by the F-Droid build servers, but it does not generally get re-reviewed. It's perfectly possible to add the malware after the initial release. It's also possible (even easy) for malware to be missed by the limited code review. F-Droid is a little safer, but that doesn't mean it's particularly safe. It's no harder to get malware on F-droid than it is to get it into Arch or Debian or any other distro repository.
This is the best heuristic to apply not just for QR code scanning, but for pretty much everything. To avoid malware, avoid the Play Store.
When using f-droid, also check out the project web site and git repo (at least in a cursory way, even if you can't fully audit the code, you can get a sense of who the developer is and the project's overall health from the commit log and issue tracker).