That's what I do. Unfortunately this is also not the default behavior of Debian (and probably of no OS). But I aim to investigate how this could be done some day.Frankly I'd urge you to use another user for scripts.
But anyway this doesn’t fixes the problem with the umask. If a file in /tmp/ has 644 it's readable by everyone, independent of the files owner. So this has to be fixed at some point and I would like a more general fix via apaches umask.