In-person phones don’t actually need the mobile network to swap contacts. I’ve successfully exchanged contacts over the LAN on a Pinephone with Bluetooth off and the cell modem airgapped.
A single-use or expiring QR code would be useful, but QR codes that last forever are also useful. Perhaps, instead of rendering QR codes unusable, we should just default to non-reuse, and warn of reuse.
For in-person scans, perhaps the QR code could be single-use by default: that is, once an in-person contact is established, that QR code is not displayed again, and it is recorded against the contact. If someone is later introduced to you by that contact, the UI can say whom they’re being introduced by.
When you make a QR code, the UI could ask you to either make a single-use code to scan right now, or to name the code to make it persistent (example names: “QR for Alice” or “Bob’s 2025 keysigning party”). Then you see the QR name when deciding whether to accept the contact.
As @bencan says, this very much ties in to @ell1e’s Trust design: perhaps an invite link shouldn't always be trusted (maybe it's a good idea to ask the user?).