The service itself is a several week endeavor to do properly, you have to understand the impact of all the pushed passes on the QR code generator, put together telemetry, dashboards, and alerting for the new service. Depending on their infrastructure that could be difficult to spin up. You have to do a design and review with the team so this isn’t just understood by one person and can be supported by a team. Documentation, ADRs, etc. setting up processes for managing the cert chain over the long term. And you probably want to keep parity between the iOS and android apps, so you need to understand that work.

Then yeah, it lowers engagement with the app, which is probably tied to someone’s bonus.

A lot of those pain points are involved by virtue of being the original developer. Generating a QR code every single minute for every single user can indeed easily lead to issues, but that's much less of an issue when you're able to change the QR code validity to, say, a week.

If you use online validation you can even dynamically rotate them whenever it suits you - either to adjust server load, or as some kind of "every Nth check-in" scheme. Heck, with online validation it doesn't even matter if the rotation service goes offline for a while!

Or just generate a fixed QR code which never changes. You know, like the 8-digit pin the QR code is the alternative for.