You just scanned an unreadable symbol. It could already send you anywhere. Vetting URLs by whether they look like they point at a redirect script seems like overkill.
Even that's not an absolute assurance, as millions of people who have failed to renew expired domains can attest. And the HTTP status codes have a whole block of redirect codes while just about every web server permits backend proxies. When you visit http://viral.example/ it can already send you anywhere; seeing the URL http://viral.example/qr only tells you that you're getting QR-specific content, and still does not tell you what that content is.
I guess the only problem is people can't recognize familiar URLS if you use a redirect page. If you link to a Facebook event for a concert, for example, people could see the trusted domain before visiting.