Think of air gapped devices as the safest for cold storage

[hmbdofficial]

I have heard about the cold storage using air gap system as the safest form of protecting your bitcoin from malwares attack, phishing and keylogger from getting to your private keys which I find really interesting and safe but it left some questions in my head.
Are we saying that there ain’t QR code malware? The use of QR code to send the PSBT to the offline device won’t do anything?
I have seen situations where that SD card are also attacked affected by malware will that not  be a problem too if you reuse The SD card?
That the reason I'm doubting it

[Zaguru12]

Firstly there is no one that say there is no malware on QR code, most malware’s coming from QR codes are actually either from the software that it was generated from (that’s why generating your QR code using third party apps is total wrong) or the device that scans the QR code is infected such that it changes the address scanned from the code, and it’s reason why you need to actually verify the transaction yet again.

But there are devices which actually gives you the QR code directly for your watch only wallet to derive and example is the Electrum wallet.

Yes an SD card can be infected if you actually installed it into a corrupted online device that’s why if it is SD card you’re using use it with an adapter such that you lock and make it a read only or use a USB with read only switch too.

But QR code still stands out if not generated by third party

[ABCbits]

The use of QR code to send the PSBT to the offline device won’t do anything?

If the device used to create PSBT QR code is infected, theoretically the malware could replace the PSBT QR with their own PSBT which send Bitcoin to their address.

Yes an SD card can be infected if you actually installed it into a corrupted online device that’s why if it is SD card you’re using use it with an adapter such that you lock and make it a read only or use a USB with read only switch too.

On Linux, you also can mount external storage as read-only and disallow any running executable from it.

[Lucius]

There is no setup that is completely bulletproof, so we probably cannot say that an air-gapped wallet is a 100% safe way of storing private keys and performing transactions. Honestly, I've always been curious about the possibility of hackers successfully attacking an air-gapped device through QR codes or even an SD card, but I think the chances of that happening are very small if the user knows where such threats come from.

In other words, if someone has a habit of using pirated software, downloading multimedia from the internet and visiting suspicious websites, it is very likely that they will pick up something malicious, especially if they do not have any security software. Even then, most ordinary hardware wallets or air-gapped devices will be of great help to any careful user to recognize that something is not as it should be.

Therefore, I would conclude that there is no better protection than using an air-gapped wallet with, of course, all the security measures that go along with it.

[satscraper]

I have heard about the cold storage using air gap system as the safest form of protecting your bitcoin from malwares attack, phishing and keylogger from getting to your private keys which I find really interesting and safe but it left some questions in my head.
Are we saying that there ain’t QR code malware? The use of QR code to send the PSBT to the offline device won’t do anything?
I have seen situations where that SD card are also attacked affected by malware will that not  be a problem too if you reuse The SD card?
That the reason I'm doubting it

If malware is already sitting on your device then malicious QR may instruct it to do some bad actions.

If your device is clean then you are safe simply because any QR can not contain malware itself because on any existing standarts QR code is far too small to accomodate any meaningful executable.

For instance, size of QR subjected to ISO/IEC 18004:

~3K of bytes is far too little to be taken seriously by malware developers.