I’m quite sure there is no way to modify that in the normal code/installers, however if you’re using custom content, you can change this location to something else.
We also have several exceptions within our endpoint control system, but nothing outside of BigFix files, services, or processes is permitted.
The ideal strategy to enable execution is to allow all processes/execution whenever they are executed through any of the BigFix processes or from BigFix directories.