Comment 3 for bug 1700611

In my opinion, it's still better to have the file not world-readable by default. I looked to add-apt-repository for precedent, and the only information I found was bug #399709 - however, add-apt-repository also doesn't truly have support for adding private ppas (you can pass it a full url with embedded credentials, but then it doesn't DTRT for gpg key imports). So I don't think this is a relevant precedent at all.