I made the experience that it's never a good idea to point a QR code to a fixed domain. Always create a little redirect app where you can define later on what target the link should point on.
I don't think the majority of users check the URL of the QR code. Why wouldn't you trust the advertiser? I think it's really rare to see an advert that looks innocent, but actually isn't, and at the same time contain a QR code that has a "malicious-looking" URL.
I guess I'd trust ads more than random QR codes on blogs. My point is, if the point of a redirect is that you can send people to a different page later in time, then you really can't depend on the QR code taking you where you expect, or even to the same page that it used to go to.
If this is such a concern, you can always have your browser ask you for permission before it follows a redirect. Any URL anywhere could potentially redirect.
I guess the point is that there is a certain amount of comfort to be had if the url is http://www.domainname.com/ because at least then you know that any redirects are intended for the entire world: no one is shuffling you though ad trackers making you feel like a pawn.
You just scanned an unreadable symbol. It could already send you anywhere. Vetting URLs by whether they look like they point at a redirect script seems like overkill.
Even that's not an absolute assurance, as millions of people who have failed to renew expired domains can attest. And the HTTP status codes have a whole block of redirect codes while just about every web server permits backend proxies. When you visit http://viral.example/ it can already send you anywhere; seeing the URL http://viral.example/qr only tells you that you're getting QR-specific content, and still does not tell you what that content is.
I guess the only problem is people can't recognize familiar URLS if you use a redirect page. If you link to a Facebook event for a concert, for example, people could see the trusted domain before visiting.
Would you really be worried if AirBNB had a QR code which took you to http://airbnb.com/qr because it might be a redirect which could take you anywhere?
Currently, no. But I would be mad if they sold a redirect to someone else and it took me where I didn't expect. And if that happened often, then I would get more suspicious of redirects over time.
I don't much use QR codes, but when I want to go to a URL I got in email, and it looks like that, even if the email otherwise seems legit, I just type in the URL to the real site directly. Clicking on such a link feels like deliberately falling for a phish.
It's very common to use shortened URLs to decrease the complexity and size of the resulting code. I don't think most users scanning codes are any more concerned than they are clicking on a shortened twitter link.
So for example point the link to http://mysite.com/qr
where you have a little redirection-php file that you can edit at all time.