[hamasho]

One way to exploit this is to send the QR code through email or messaging app. When I open the email or see the message, the image may be downloaded, scan starts, and it makes requests which expose my information, including IP, without realizing it.

[zimpenfish]

That's expected, I think, because people want link previews (and I'd put money on what's happened in this case because it's the iMessages bot that fetched the URL rather than anything else like photosd or spotlight.)