As mentioned by kravietz on Stackoverflow https://stackoverflow.com/a/56737468/1171107

[...] Theusage of Google Charts are absolutely terrible from information security point of view. That's essentially sharing the TOTP secret as well as your username (alice@google.com) and issuer (Example) with a third-party company with no legal obligation to keep them secret, and doing that over a GET request! Doing so you violate not only every single assumption underlying multi-factor authentication but also most likely your organisation's information security policy. It nullifies any value added by MFA since the only factor that protects you from compromising your account in case of password breach is itself breached.

It doesn't uses google charts to generate QR code. It used different API for that

It is using "https://api.qrserver.com/v1/create-qr-code" to generate the QR code for now.
To avoid security violation issue, you can use javascript library "https://github.com/davidshimjs/qrcodejs" to generate QR code in client side.

OR: https://larsjung.de/kjua/