Cellebrite is built around that reason: USB/Thunderbolt stack vulnerabilities, etc., that allow the full-disk encryption key to be extracted out of the RAM of a running system.
I believe iOS is capable of flushing most cleartext data on suspend until the passcode is reentered, so suspend should be as good as shutdown; I don’t know if macOS can do it. On desktop Linux it’s theoretically possible with systemd-homed, but in practice that needs desktop-environment support that’s as far as I know does not exist, so shutting down is more secure. I can’t remember anything about Android either way except for some features for disabling the USB port in some alternative firmware.
On Windows with a typical TPM-only setup, powering off is probably just as bad as suspending, because just powering the machine back on is enough for it to helpfully unlock everything. If you do need to enter a BitLocker passphrase at boot, then you’re in the same situation as typical desktop Linux, so powering off is more secure.
