When you run
php bakery bake and it creates the app/.env file, it creates it with world-read rights (644, or rw-r–r--). That means anyone with access to the server can read the contents and get your database and email passwords. The permissions should be 600, or rw------- (possibly rw-r----- if the group is locked down to the minimum, system level processes that are in that group).
This isn’t an obscure bit of knowledge. It’s basic security - use the strictest possible permissions, and never EVER grant world-read rights to sensitive information. When you screw up something that basic, I really wonder what other hidden vulnerabilities there may be in the code. Has the system ever undergone a security review?