All DaemonContext instances used for worker, scheduler, webserver, flower, etc. do not supply a umask argument. See here for example:
As a result, the DaemonContext will use the default umask=0 which leaves user data exposed. A BashOperator for example that writes any files would have permissions rw-rw-rw- as would any airflow logs.
I believe the umask should either be configurable, or inherited from the parent shell, or both.