How many characters can we say are safe if we verify them?
IMO this depends on the amount you are transferring.
For like 5$, checking just a few chars should be enough. The worst case is you lose 5$.
If you however transfer multiple thousands of $, i'd check at least 8 chars.
Generating a vanity address with 8 given chars costs around 1k$. And an attacker can't know whether you are checking the first or the last 8. Or if you maybe split it into 4 from the beginning and 4 at the end.
So, with 8 chars you should be on the safe side.
Do such viruses affect QR scanning?
Probably not.
But malware can still change QR codes to either change the address or the amount.
This exact type of malware which changes your clipping board with a similar looking address probably won't do that.
But whether THIS malware does it, shouldn't be your concern.