It may not be if you're both using E2E encryption. But if they just leave it on an image that has other security problems. They'd need to immediately send it to a key that hasn't been digitally exposed for it to be secure (and that assumes that their device is secure). E2E encryption isn't enough if something malicious is on the device. It just seems like more work than sending invoice QR codes or something for Lightning payments. I think an encrypted file containing the key makes more sense. But that doesn't fix the problem that you were exposed to the key as well. This could create a double spend issue. You send an image that you already got the code from, paid someone, got something, and then rugged it. That's one of the security problems with hiding it in an image.