How about mounting the NFS share read-only / noexec no the reference server ?
User will still be able to execute the script in that directory/mountpoint using
bash script.sh
Read only would stop write on that same filesystem if that would help.
Even if you do all possible magic, a shell access and permissions would still allow user Bob to copy / change / execute the shell code on server1.
Actually, i cannot think of a way to stop user Bob of being Bob in your use case, no matter which server is in question.
Perhaps someone else here has some bright idea
Hope that helps
Regards
Peasant.