You don't need any dynamic features in PDF to attack. One of the most famous exploits used a bug in the JBIG2 format to build the attacker's own dynamic feature (basically a virtual machine built from logic operations) to launch an exploit. https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

In fact you have gotten it backwards. The obviously dynamic features in PDF like JavaScript are designed to be dynamic so they receive so much more attention in security. So smart attackers attack the not-obviously-dynamic features in PDF.