Mikrotik changed the permissions available to these scripts recently, maybe the policy further restricted here? But these kinda scripts do not have full admin right now – netwatch’s docs helps explain what allowed (and AFAIK applies to the other locations with “on” scripts attached to config):
Netwatch executes scripts as *sys user, so any defined global variable in the Netwatch script will not be readable by for an example a scheduler or other users
Netwatch is limited to > read,write,test,reboot script policies> . If the owner of the script does not have enough permissions to execute a certain command in the script, then the script will not be executed. If the script has greater policies than read,write,test,reboot - then the script will not be executed as well, make sure your scripts do not exceed the mentioned policies.
It is possible to disable permission checking for RouterOS scripts under /system/scripts menu.
This is useful when Netwatch does not have enough permissions to execute a script, though this decreases overall security. It is recommended to assign proper permissions to a script instead.