Sorry, I figured out what was going wrong in my specific case just after
sending the last message. Turns out it are not all my users whose files
and directories are group-writable - only mine.
The users are meant to be able to read one another's files on the shared
machines by default, so they're all in the same group. But they're not
meant to be able to read all the sysadmin's files, so my primary group is
a separate group with the same name as my login name. What I intended as
an extra layer of protection turned into a liability when upgrading to
trixie. Because I often share files with users by issuing "chown
:joint-group some-file", and this is a bit of a problem if the files are
unexpectedly group-writable...
Lesson learned: letting the behavior of file access permissions depend on
comparing a login and group name is prone to cause surprises, if not
security-critical edge cases. At the end of the day, the impact of my case
is limited, but this is a change I wouldn't confidently push out into the
world if I were managing a popular Linux distro...
