FWIW, the vendor has closed https://jira.mongodb.org/browse/SERVER-25335 with "Works as Designed".
If someone wants to follow up on explaining to mongodb upstream why umask shouldn't prevent them from applying proper permissions where needed, they're welcome to do so. ssh-keygen(1) would be a good example to point to. Cheers, --Seb
