installing/patching Oracle 11g, 12c, 19c requires umask of 022 (& umask 027 wont work)?

our DBA shared that he would run into issues with installing or applying Oracle 11g patches
if 'umask 027' is set  & he requires it to be 'umask 022'  (basically rwxr-xr-x  for all Oracle DB
or its related files &  folders).

Q1:
Is it the right practice for him to set  either  global umask (in /etc/profile) or Oracle's  (in
$ORACLE_HOME/.profile)?

Or only set  'umask 022' in $ORACLE_HOME/.profile for the session he's installing/patching
& once it's over, set it back to 'umask 027'?   External audit requires that we set individual
users'  as well as global (in /etc/profile) umask to minimally 027

Q2:
Or what's the recommended practice??

Q3:
My gut feel is to identify which files/folders  Oracle installation/patching requires &
set using Linux's  (we use Oracle linux & RHEL 7)  the relevant ACLs to give a granular
permission ie to fulfill 'need-to basis' : so we don't just grant entire group or 'Others'
Read (& Execute)  unnecessarily.  If we should adopt the ACL method,  can anyone
share which files/folders in Oracle 12c & 19c requires which id (oracle id?) what
types of access (read, execute, write?)