I don’t believe that is still the case. That was the case at one point in tme, but it is my understanding that they changed that.
For my servers, that is certianly the case - I could do it in the past but can’t do it any longer.
Note that irrespective of the default umask, you could/can always set the permissions on your files as appropriate for your security concerns - the problem was that many didn’t bother. To me the real problem was being able to list directory contents. For instance, if a site was running mod apache, or a user allowed sufficient permissions, you could run a script on the server to access/manipulate some of those files if people were careless - and you could explore the dirs to find “targets”.
Now, you can’t list the contents of dirs to facilitate the exploring, which helps considerably.