If the scanning is authorized, can't you designate them a source addr to scan from that do not have snmp write/read access to your devices, assuming currently snmp access is already restricted with ACL(s) and only open to select hosts/subnets?
But going with your choice, I suppose you could configure snmp view(s) to stop snmp write access to the following OIDs:
OLD-CISCO-SYS-MIB
.1.3.6.1.4.1.9.2.1.55
CISCO-STACK-MIB
.1.3.6.1.4.1.9.5.1.5.1
.1.3.6.1.4.1.9.5.1.5.2
.1.3.6.1.4.1.9.5.1.5.3
.1.3.6.1.4.1.9.5.1.5.4
CISCO-CONFIG-COPY-MIB
.1.3.6.1.4.1.9.9.96.1.1.1.1.2
.1.3.6.1.4.1.9.9.96.1.1.1.1.3
.1.3.6.1.4.1.9.9.96.1.1.1.1.4
.1.3.6.1.4.1.9.9.96.1.1.1.1.5
.1.3.6.1.4.1.9.9.96.1.1.1.1.6
.1.3.6.1.4.1.9.9.96.1.1.1.1.14