You are mixing up completely unrelated things. Commercial entities and software coming from it have nothing to do with commercial activity.
The commercial activity is what *you* are doing with the software. It is completely irrelevant where you got it from or if you wrote it.
If you are doing commercial activity and are getting QT as a commercial product from a commercial entity, then it is *easier* for
you - you can simply delegate the security responsibilities of that part of your software stack up to the QT commercial entity
and you just need to take care of the rest of the stack, which you are *selling* to your customers (commercial activity!).
Whether accepting donations *in general* makes your activity in providing software a "commercial activity" in the context of
this directive proposal is not really a supported notion in the text. There are a few specific examples of what does make
a "commercial activity" in point 10, but none of those examples directly apply to general donations to a project or person.