" reporting folk should not.....
...'use high-intensity invasive or destructive scanning tools to find vulnerabilities.' Phishing MoD staff is also out of bounds...."
Well, 32-33% of breaches involved the use of phishing and social engineering. [source - Verizon, late Oct 2020]
Also, invasive / destructive tools are readily available and often successfully used.
This statement seems to be equivalent to saying "Hey! come round and test my new home security system, but you're not allowed to kick the broken door down".