By looking at the examples of spoofed graphical interfaces in the post, I am not sure whether natural caution would save me in a real world situation. QR codes and URLs are convenient, but they tend to be opaque. On the one hand, signal.org is not the only domain on which Signal services operate. On the other hand, keeping everything under a single domain is a bad idea as we know. So, one needs to keep track of the domains somehow and to check QR code contents.
Software design may help users to avoid some scenarios of social engineering. I guess that some subtle changes to how the links are processed by the application will help to improve the situation, but I do not know. The project’s collaboration with the researches is definitely a good sign!