He took a picture of the public address so it could be scanned. What's wrong with that?
This doesn't prove the address was created by the Ledger. Without verifying the device itself, this address could have been created by malicious software.
The fact that he took a picture has absolutelly nothing to with it
You said it proves the address came from the Ledger: