Well, in the QR code and smartphone scenario, you also have to trust that the code in the smartphone all the way down to the hardware is trustworthy. Otherwise, you'll get attacked through the firmware or bugs in the OS or through custom sleeper electronics injected at the fab.
