I just found out you may - even in current HTML use entity references in attribute values, it’s just you don’t have to anymore, when the ampersand is not ambiguous.
The spec states it as: “Attribute values are a mixture of text and character references, except with the additional restriction that the text cannot contain an ambiguous ampersand.”
Whereas in the the days before HTML5 this has been mandatory.
> HTML 4.01 Specification – Appendix B.2.2 “Ampersands in URI attribute values”
https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
> Unfortunately, the use of the “&” character to separate form fields interacts with its use in SGML attribute values to delimit character entity references.
That's the same as main body text isn't it? And you have to be able to use them so you can escape " just like you have to escape < in main text.
HTML5 standardized how to interpret formerly invalid documents because it was more important to be consistent than to be correct.