A profile shell script ( using #!/bin/pfsh or any other profile shell) must always be run in a profile shell.
Roles cannot execute the profile shell from the command line or from a shell script (or bring up a GUI) without the trusted path.
A role must have the name of any script using a profile shell explicitly listed in the Custom role_name Profile or another rights profile for the trusted path to be available. (For ease in troubleshooting, we recommend using the Custom role_name Profile for all customizations to a role's rights.)
As is true for normal users, any commands in the profile shell script also need to be in one of the role's profiles.