Both. Do both. Make it easier for them to address the issue than ignore you. Depending on which side of the aisle your MP is on, focus your letter on either “those evil <other side> are doing thus terrible thing, I know you’re bold enough to stand up to them.” or “this policy seems to have the following problems, and it’s leaving you open to attack from <other side>. It’d be a shame if you lost your position over it.”

What I find particularly concerning is that the were able to “hide javascript commands that link the victim’s phone to a new device” in the payload of a qr-code. I can’t see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?