Ah, yes, restic intentionally operates with a forced umask of 0077. I even created a forum thread about this, so it’s a bit silly of me to forget that.
IMO restic should defer to the umask when writing repository files but I don’t know if @fd0 is open to that change. “Secure by default” is reasonable, but the current approach is also unreasonably limiting for system administrators who know what they are doing.