Yes, so worst case you paid a little bit of money to the wrong account. This is much worse - usually the QR code leads you to an app that then authenticates with your bank and can transfer and arbitrary amount of money out.
The problem I think is with the bank. They don't give you a way to authorize a single payment or authenticate yourself without just giving away total access to your funds.
It should be like cryptocurrency where there is a separation of the public and private key. Or even better, something like chaumian e-cash. I feel like that would pretty much shut down the majority of financial crime.
Since it's all tied to real IDs, wouldn't that involve heavy risks from the scammer's side? I know it's possible, but still a bit less risk if your Scam HQ operates overseas.