diff --git a/helpers/helpers.v2.1.d/utils b/helpers/helpers.v2.1.d/utils
index ff378a951..6c63fe82d 100644
--- a/helpers/helpers.v2.1.d/utils
+++ b/helpers/helpers.v2.1.d/utils
@@ -236,7 +236,7 @@ ynh_app_upgrading_from_version_before_or_equal_to() {
 _ynh_apply_default_permissions() {
     local target=$1
 
-    is_subdir() {
+    is_in_dir() {
         # Returns false if child or parent is empty
         child=$(realpath "$1" 2>/dev/null)
         parent=$(realpath "$2" 2>/dev/null)
@@ -245,17 +245,27 @@ _ynh_apply_default_permissions() {
 
     # App files can have files of their own
     if ynh_system_user_exists --username="$app"; then
-        if is_subdir "$target" "$install_dir" ||  is_subdir "$target" "$data_dir"; then
-            chmod -R u=rwX,g=rX,o=X "$target"
-            chown -R "$app:$app" "$target"
-            chown "$app:www-data" "$target"
+        # If this is a file in $install_dir or $data_dir : it should be owned and read+writable by $app only
+        if [ -f "$target" ] && (([[ -z "${install_dir:-}" ]] is_in_dir "$target" "$install_dir") || ([[ -z "${install_dir:-}" ]] is_in_dir "$target" "$data_dir"))
+        then
+            chmod 600 "$target"
+            chown "$app:$app" "$target"
+            return
+        fi
+        # If this is the install dir (so far this is the only way this helper is called with a directory)
+        if [ "$target" ==  "$install_dir" ]
+        then
+            # Files inside should be owned by $app/www-data with rw-r----- (+x for folders or files that already have +x)
+            chmod -R u=rwX,g=r-X,o=--- "$target"
+            # We set the group to www-data because most apps do serve static assets that need to be readable by nginx ...
+            chown -R "$app:www-data" "$target"
             return
         fi
     fi
 
     # Other files are considered system
-    chmod -R 400 "$target"
-    chown -R root:root "$target"
+    chmod 400 "$target"
+    chown root:root "$target"
 }
 
 int_to_bool() {