Setting umask inside login.defs alone doesn't seem to work

hosts/aragorn/users/follie.nix

@@ -65,6 +65,7 @@
     pulumiPackages.pulumi-language-go
     pulumiPackages.pulumi-language-nodejs
     purescript
+    python3
     reuse
     rsync
     s5cmd

nixos/common.nix

@@ -9,8 +9,19 @@ in
   # I don't use GNU's info
   documentation.info.enable = false;
 
-  # Be more private with newly created files
+  # Set a more restricted umask globally. See pam_umask(8).
+  # NOTE: login.defs file is used here since it has the lowest priority considered by pam_umask
   security.loginDefs.settings.UMASK = "027";
+  security.pam.services =
+    let
+      text = ''
+        session optional pam_umask.so
+      '';
+    in
+    {
+      login.text = lib.mkDefault text;
+      systemd-user.text = lib.mkDefault text;
+    };
 
   # Just expose everything possible so shell completion works
   environment.pathsToLink = [