What would be the use case for a framework that returns password reset token to random user requesting password reset of another account. Token must only be available to account owner.

A framework like this should not be used.

This seems to be fairly deliberate, the QR code might probably give you some clues. They needed to generate a QR code so the user could just scan it and reset their password.