This is a limitation of the way PHP is set up on your server. If you previously used MovableType, Perl was probably set up with suexec so Movable Type executed as your user. In this case, PHP is running as the web server user, which is why it has to be at least 444. There is phpsuexec but it seems many hosts don’t use it.

However this is often not an issue on modern shared hosts because even though the file is “world” readable each account is set up with a “jailshell” which keeps people locked in their home directory, and PHP can be easily modified with an open_basedir restriction to keep people from writing PHP scripts to read your files. If you are really concerned, you should contact your host to see what measures they are taking.