It's minimal additional data that fits comfortably into your BBQRs. Why bring up USB here?
The current spec used for this protocol is over usb and custom hwi. Ideally there would be an extra field on PSBT. And the clients would include in it. We would taken take it and sign it. And to feel comfortable I want to see core with a proposed implementation of the client side. Messing with nonces is dangerous as fuck.