"Why we prominently display the domain name BEFORE authenticating" - users are stupid, they never check the URL despite how many times you tell it to. An average user storing their password in a password manager in their browser is thousands times more secure than this, simply because the average user is stupid.
In order for the SQRL domain to be incorrect the website would have had to been compromised - so it would be the same situation if someone used a regular username/password.
The Problem: Evil website obtains SQRL code from innocent site, presenting that to the user in place of the SQRL code for the Evil site. The unwitting user snaps the SQRL code without noticing that it's for a different website. Thus the Evil website, effectively impersonated the user to the innocent site and can authenticate as them.
The Defense: The form of “phishing” attack arises because the domain name contained within the SQRL code is not immediately obvious. So a different domain name can be presented by the Evil site. This is why the user will always be clearly shown the domain name contained within the SQRL code and warned that they will be providing their login credentials for THAT website domain, not necessarily the one they are apparently logging in to.
So it sounds like a warning would be shown saying "hey, this is attempting to log you into a site you did not mean to."
Problem is there is no warning.
you type amzone.com instead of amazon.com. owner of amazone.com (hypothetically) is bad guy and sticks amazon.com sqrl on a fake amazon page to scan.
sqrl app replies trying to auth on amazon.com (true) so I say ok
But I'm not on amazon I'm on amazone. yes if I looked at URL I could see it but I have to check nothing will tell me to check.
Note this would be just as true for just a plane userid/pass as sqrl. not any weaker but not stronger either.