Tomcat upgrades alter file ownership

We have a set of webapps served using Apache Tomcat 9 on Ubuntu 20.04. By design (not mine, not changeable), the webapp files must be owned by, and the Tomcat process must be started by, a custom system user.

Several times now our webapps have broken during routine code updates, leaving us scrambling to do emergency maintenance in the middle of the night or on weekends. The root cause is that when we run apt upgrade, Ubuntu's updates to its Tomcat packages (either 'tomcat9', 'tomcat9-common', or both) reset the ownership of our webapp files to the 'tomcat' user. After this, the only way to recover our webapps is to go through the fileset and manually reset ownership of the relevant files.

As best I can tell, this is a problem with Canonical's packaging of these updates. I can't imagine there's a legitimate reason to forcibly change a user's choice of file ownership, and it surely can't be necessary to do so because we've had this same architecture for many years, and this never happened before Tomcat 9/Ubuntu 20.04. I've held these packages back from further updates so that the problem does not recur, but obviously the ideal solution is for these updates to stop altering the file ownership that we've set.

Can this be made to happen?