In automated exploitation (e.g. scanning for common classes of web vulnerabilities) /dev/shm is better because it doesn't touch the disk filesystem. It's also not an obvious place people use on a regular basis (as opposed to /tmp) so (some) people are less likely to look for things in there.
/tmp sometimes uses tmpfs which is also memory based, but not always and you won't know until you're in /tmp.
/tmp sometimes uses tmpfs which is also memory based, but not always and you won't know until you're in /tmp.