Why do you want to run dynamic PHP code through a shortcode? This is a huge anti pattern and leads to all sorts of nasty problems (SQL Injections, XSS Attacks…)
the best way to achieve this is creating a custom plugin or using the functions.php file of your (child) theme to simply register a custom shortcode for every custom code you want to insert. It might not fulfill what you were trying to do but this is a lot safer.
Btw.. WordPress does not sanitize the attributes or body of a shortcode on its own, it’s most likely the sanitization of the WYSIWYG editor you are using (be it Gutenberg, TinyMCE or a pagebuilder like Elementor)
