He took a picture of the public address so it could be scanned. What's wrong with that?
This doesn't prove the address was created by the Ledger. Without verifying the device itself, this address could have been created by malicious software.
The fact that he took a picture has absolutelly nothing to with it
You said it proves the address came from the Ledger:
So somebody creates a malicious software and doesn't empty the address? +4 BTC total? I think i have made a good and strong case that this was probably a technical problem and still...... it must be the photo.....