Probably the bcur and qrparsing libraries. We have done some level and review and modifications to ensure security, however we do not have a third party auditing that we commissioned. The libraries are indeed open source, as well as the esp32 camera library (however the esp32 doesn't load the camera firmware)

blockstream_official

bitcoin

AMA - Blockstream Jade Team Enables Air-Gapped Transactions

What is the biggest attack vector for QR code based communication? 

Is the firmware for camera open source? Audited?