Just interested in the short answer? YES, ZAZA.rocks is 100% safe.
Yet security has many sides, so let's dig a bit deeper.
The basic principle of ZAZA.rocks is "content in context". This is also true for security: the content inside a ZAZA bag is exactly as secure as the context where your unique ZAZA link is embedded: an email, a WhatsApp message, an MS Office document, a comment field in your accounting package, but also a tweet or a public web page. Those who have access to the context can get to the content by clicking or opening the link. This means password holders for the mail, for Whatsapp, for the document server, but just about anybody for the tweet and the web page. It’s just like an attachment to an email: when you have access to the mail message, you can download and open the attachments. Exactly the same is true for ZAZA.rocks QR codes, which are only ZAZA links in a different jacket. The content behind the QR code is as secure as the surface hosting the QR code. When you stick a ZAZA QR on the back of a file binder in a locked closet, then the content will be effectively “locked up” by the key of that closet. If you put a ZAZA QR on your front door, the content can be opened by any person with a smartphone passing by.
As long as you keep these principles in mind, you’re OK.
A ZAZA.rocks link will always look like: https://zaza.rocks/da134f3e8c8b51dc2ce8392e63178fd9. The long number is a 128-bit unique random key. Could a hacker potentially "guess" such a key? No. Statistics would be against him, as he would have to guess about 10^30 times (a 10 with 30 zeroes). “Guessing” traditional username/password combinations would be much simpler, for example. Moreover, a correct guess would only provide access to a single download page of a single bag. It would not help one bit in cracking open the next one. This compartmentalized protection stands in stark contrast to any account based solution, where all information is fair game once the account is hacked.
As far as content safety is concerned (viruses & other malware): the same precautions as for any other website apply, with client side protection being the ultimate security fence.