This all is then somehow more secure because the wallet is not stored on the active machine, but separately.
Almost. If the wallet isn't on the active machine, it can't be lost or stolen.
What is the definition of active machine then? If the Udoo pc is doing mining then its connected to the Internet and very much an active machine.
SSH would be configured to accept connections to the wallet only from devices with specific uuids.
I have never heard of such an option. Where in sshd_config is there such an option?
I send a request for x amount of bitcoins, get back a qr code, the merchant scans the code, transaction is done.
It doesn't work like that. You have to specify the recipient's address and amount and it is bitcoind that will send the transaction over the network.