The default appears to be that the scripts are being copied to a temp directory in /tmp, then executed via bash -c (see line 299) of google_metadata_script_runner/main.go):

                        c = exec.Command(config.Section("MetadataScripts").Key("default_shell").MustString("/bin/bash"), "-c", tmpFile)

However, if /tmp is on a noexec file system (which is not uncommon in locked down environment) this fails and one gets an error like

google_metadata_script_runner[523]: startup-script: /bin/bash: line 1: /tmp/metadata-scripts433978404/startup-script: Permission denied

Shouldn't it be possible to just let bash run the script directly, i.e. remove the "-c"?

It is true one can change the run_dir directory in the config to point to another directory as a work-around, but maybe the above suggestion could be applied to make it work in general?

bash -c /path/to/script is basically the same as /path/to/script, removing the -c should restore the intended meaning of "use bash to execute that script".

You can define an option in the configuration file:
run_dir - String base directory where metadata scripts are executed

https://github.com/GoogleCloudPlatform/guest-agent/tree/main#configuration