For which 99.99999% of users will be using mobile clients to scan the QR code that have no capability of executing the code...

Yes, embedding a Windows app is essentially pointless for mobile users, but there are many other delivery vectors available from QR codes.

There are some interesting approaches listed at https://news.sophos.com/en-us/2019/10/17/beware-the-square-h...

Yet. :D

I've been working on a virtual machine where this wouldn't be a problem: https://esolangs.org/wiki/RarVM#Jumping_processes

(small process snapshot sizes and sandboxing capabilities)

Using the WebAssembly VM would be a good alternative for real applications.