Comment 5 for bug 248843

I'm happy with GRUB's current practice on this, expressed in this code:

if test "x${grub_cfg}" != "x"; then
  rm -f ${grub_cfg}.new
  exec > ${grub_cfg}.new

  # Allow this to fail, since /boot/grub/ might need to be fatfs to support some
  # firmware implementations (e.g. OFW or EFI).
  chmod 400 ${grub_cfg}.new || grub_warn "Could not make ${grub_cfg}.new readable by only root.\
  This means that if the generated config contains a password it is readable by everyone"
fi
echo "Generating grub.cfg ..." >&2

[...]

if [ "x${grub_cfg}" != "x" ] && ! grep -q "^password " ${grub_cfg}.new ; then
  chmod 444 ${grub_cfg}.new || true
fi

In other words, if you use the password command then it's secret, otherwise it's world-readable. As to why we don't make it world-unreadable in general, nothing else in there is normally secret, so there's really no reason to do so - it would just annoy people. *Excessive* security tends to be a net loss. If you have special requirements then you can of course dpkg-divert /usr/sbin/update-grub and add a wrapper which sets the privileges you want.