We had to change this for security reasons, there was no option to fix the issue while keeping the old permissions. The web root was not made to store any files there directly. The private folder was introduced in 3.0.5 to offer an alternative storage location for files that shall be kept private.
You can configure in System > Server config that the permissions of existing sites dont get altered on update. But new sites will always get created with the new permission scheme.