As was decided a long time ago in WordPress extract() should not be used in the case here with shortcode attributes and in general WordPress removed it usage from WordPress core for several reasons.

Then there are the times that I can’t find any reference to where a variable came from at all. It’s just suddenly being used. One way that happens is through the extract function.

Also see https://blog.josephscott.org/2009/02/05/i-dont-like-phps-extract-function/

Reasons summarized

• Readability and Maintainability:
  When you use extract, it makes it less clear where the variables are coming from. This can make the code harder to read and maintain, especially for someone who is not familiar with the codebase.
• Global Namespace Pollution:
  extract introduces variables into the global namespace, which can lead to naming conflicts with other variables in your code or in other plugins/themes. This can result in unexpected behavior that is difficult to debug.
• Security Risks:
  If user input is directly used in extract, it can pose a security risk, especially if the shortcode is used in a context where user input is involved. Using user input directly in extract can open your code to potential vulnerabilities such as injection attacks.