With questions like this, where there is unlikely to be formal specific best practice guidance, it often helps to look at the underlying security goal, how it can be achieved, and the pros/cons of using a specific method to achieve it.
Here the question is around vulnerability scanning of hosts, the goal is likely to detect mis-configuration of the hosts (e.g. unsecured services running) or the presence of malicious software which has been installed on them.
There are generally speaking, two ways to achieve this goal. The first is to use a black box vulnerability scanner which runs over the network to target the in-scope systems.
The second is to use a credentialed vulnerability scan to review the configuration of the in-scope systems.
From an accuracy perspective, the credentialed scan is likely to produce superior results, as it can review program versions and things like listening ports without risking interception or modification by any network or host firewalls. The downside of a credentialed is that there's a requirement to provide the scanning tools with valid credentials for each host, so there's an overhead in maintaining and securely managing those credentials.
Using an unauthenticated network scan does not have this requirement, but may lose some accuracy and does require complete network level access in order to assess the visible services running on the in-scope systems. In terms of the risk of allowing that access, assuming a correctly scoped rule, you would only be at risk if the source system(s) are compromised or if an attacker can spoof their IP address AND there is an exploitable vulnerability on the target systems.
All of this is to say two things.
If the goal here is to provide the best assessment of system vulnerabilities and configuration, I would recommend authenticated scanning, which won't require major modification to network access (generally it requires SSH for Linux hosts and a couple of management ports for windows hosts)
If authenticated scanning is not possible, then typically network scanners do require full network level access to in-scope systems, but a correctly scoped firewall rule shouldn't introduce significant additional risk to your environment.