If the QR code holds an EUI, then I assume that’s the DevEUI, not the (possibly shared) AppEUI. But even then: hardware-assigned EUIs are not random, so you’ll surely need some additional security to ensure people can only register and see their own device(s), and not guess the DevEUI of other devices.
For example, use random non-hardware EUIs, or add some signature to the DevEUI in the QR code, or create random non-EUI QR codes and link those to the devices you know. You could even put all OTAA details (DevEUI, AppEUI and AppKey) into the QR code, but then make sure not to put the QR code on the device itself as people tend to leave that in place, exposing the secrets.
While using a single AppEUI indeed works, I feel it would be really nice to allow buyers to use the device without your platform. For that, I’d say that each device needs its own AppEUI. You can add as many AppEUIs to an application as you like. (At least: I don’t think there’s a limit.)
Of course, if a user tells you they want to use the device themselves, then you’d need to remove the AppEUI and the device from the TTN application of your service, and provide them with the DevEUI, AppEUI and AppKey. You could also not pre-register the devices at all, but only register one as soon as they scan the QR code and indicate they want to use your services. (Assuming they did not register the device themselves already.) That would even allow them to register DIY devices, if you’d allow that.
The ttnctl command line interface or the Application Manager API can be used to easily register many AppEUIs to a single application.