It really always comes down to trust, as always. Just like with URLs/links, you need to be cautious about where you're clicking. The same principle applies to QR codes. You wouldn't click a spam/scam link in an email from an unknown sender, so why scan a random QR code?

In terms of restaurants, they should be held accountable for any QR codes they are asking patrons to use.