Let's not be too paranoid. You can set up devices in such way that they read a qr code and display what was read without taking any action. This means that you can get malicious code, but will have to confirm it on the device for that code to execute. If you decide to scan a code with an address and get a bunch of strange code instead, just do nothing, cancel the whole process and flag this QR as scam attempt.
I use an offline wallet that isn't truly airgapped because it goes online from time to time when I transact, but for an attacker to be able to target me they'd have to know the IP of that machine and be there waiting when it comes online, which is literally impossible since last time I used it was months ago.