/config/auth is the location where sensitive private data is stored such as VPN private keys. I was very careful when setting up my keys inside /config/auth to ensure private keys were chowned and chmodded so that they were readable just by root, the vyattacfg group (necessary in order for the config scripts to verify correct key format) and not other-readable. I was very surprised today to find that during some process (possibly upgrading through 'add system image') all the files and directories in /config were changed to root:vyattacfg and mode 775. Not only is this very bad in terms of security as it exposes all keys in /auth to all users and processes on the system, it's also technically wrong as files shouldn't be executable unless they're executable programs or scripts. Files should be 660 or 664 at most.
It's very likely that either 'add system image' does a 'cp' without '-a', or something does a 'chown -R root:vyattacfg; chmod -R 775'.