Considering that the OP is talking about an application server, it looks to me this is a standard production security policy, not something to pester developers with. It's not a measure to defend against internal attacks^*, but to prevent escalation after an intrusion. Of course, the script should be non-modifiable.

^*Although with some effort, it can help to protect against insiders wearing a black hat.