Separate volume, lots of people do that. Noexec, not as many people as you'd hope. Although in this case, /tmp is just a convenient place to store things because a lot of these things are embedded devices with little storage but /tmp in RAM. If a target wasn't allowing the chmod from there, the attacker could find somewhere else to put their binary as long as there was some writable storage. That binary could be a very small one that loaded instructions from another file in /tmp that wasn't executed.