I would think that since the container log directory is the only one generated by YARN, so there could be useful information in there. The other directories (file cache, app cache, user directory) would be files the user could already have access to without even launching a job, so I would expect that permissions there would be less likely to need loosening.
One follow up thought, based on Robert's feedback. Does it make sense to make it a DefaultContainerExecutor property only? For security reasons, it might make sense to give each ContainerExecutor subclass it's own property for container log directory permissions.
If so, I can do this JIRA for DefaultContainerExecutor and do a follow up JIRA to refactor ContainerExecutor and it's subclasses for the other properties. I'd like a little more time to think on that.