You can use iptables to limit metadata access to certain users but that takes effort so no-one does it.

I guess a machine-local service that takes ownership of the metadata service and implements additional restrictions (such as limiting access keys to privileged users) might be doable.