Protection Mechanism Failure

Summary

The object-destructuring assignment syntax introduced in Twig 3.24.0 prior to 3.26.0 generates a call to `CoreExtension::getAttribute()` with the `$sandboxed` argument hardcoded to `false`, regardless of whether a `SandboxExtension` is active. This permanently disables the sandbox's property and method policy checks for every destructuring expression.