When you run phd with a nonstandard umask, it carries through to repository checkouts.
For now, we should probably just force umask to 022 in the PullLocal daemon.
If we eventually decide to sudo all CLI stuff as the daemon user we could use 077, but we have a general assumption that access to the machine is sufficient to at least partially access possibly-sensitive information (e.g., by reading remote URLs out of the process list, accessing APC, or whatever else) and that letting attackers have shells on your production hosts is inadvisable; the not-completely-restrictive 022 umask is consistent with that.