You're basically evaluating the cryptographic merits of CSV.
I am not. I am weighing features vs unintended harm. Yes, the airlines shouldn't be including this data in the barcodes. It is improper to expose end users to this liability. And simply telling them not to expose them isn't a solution.
But if FB can detect harmful barcodes in an image, by all means they should remove the photo.
This is no different than Github scanning for AWS creds or MongoDB passwords in repos.
But Github doesn't do that either.
Amazon pays a contractor to scan Github repos for keys.
Case in point: app sandboxing. I, for one, don't want it, but it's everywhere.
Stuff like this should be configurable or over-ridable, especially when it has legitimate uses.
There will always be a balancing act between features, security and usability, to ram the needle one way and to say 'tough luck' to everybody else is not a solution because then people will try to find ways around the block.
Facebook already scans the image, probably even for QR codes, they could prevent users from harming themselves. And airlines shouldn't expose this info in the first place.
