In Australia, QR code to website menu->order->pay has become the norm; restaurants without it are increasingly rare[1]. There are 2 or 3 major vendors of such systems, generally respectable (though a few dark patterns on some of them). I'm completely surprised there haven't been substitution attacks already.

[1] These emerged during/after lockdowns to minimise staff contact with diners, but have stuck around as there's an employment crisis whereby restaurants (and plenty of other businesses) can't find staff, so this reduces the need for staff to stand around waiting for you to place your order.

Sure, I haven’t described the universe of QR code usage at restaurants. The point still stands that a QR code at a table is an abusable trust boundary in some places where it’s used.

It probably depends on where you live/how tech-savvy your area is, but where I am, it's fairly common to order and pay through the qr menu as well.

In Sydney Australia it is common for the payment to happen through the QR code flow. It’s backed by well-known apps though, not unknown 3rd parties.