Your example doesn't have an address in it at all, so isn't compatible with non-BIP70 wallets. Maybe for QRcodes specifically there are no longer any such wallets out there. For clickable links it can still be an issue.

I thought SHA1 has a bad reputation these days, and we don't save much
by using it. I don't know anything about Murmur. MD5 is clearly broken.
What hash function would you recommend?

Can just truncate SHA256, I think.

It is. People can't check names. People don't want to check names.

Their wallet checks the name, though. It sees:

bitcoin:1AbCd?r=https://bitpay.com/r/12345

and the wallet verifies that the presented certificate is for CN=bitpay.com

People can't get certificates for lots of reasons. X.509 is centralized.
X.509 has had serious security issues in the past. And shit continues to
happen.

Well, I wrote an article that argues with this PoV:

https://medium.com/@octskyward/why-you-think-the-pki-sucks-b64cf5912aa7

No disagreement that it's a more complex mechanism. But seeing as we end up depending on it anyway the moment you load any kind of web page to find out the URI, adding another mechanism only increases complexity, it doesn't remove any.

Sure. But signing is harder than just calculating a hash.

Well, again, it saves qrcode bytes. You don't have to include a dedicated hash. The existing address hash can double up as both a backwards compatibility measure, and also an auth mechanism.