diff --git a/changelogs/fragments/safer_copying.yml b/changelogs/fragments/safer_copying.yml
new file mode 100644
index 00000000000..e8d5ed698fd
--- /dev/null
+++ b/changelogs/fragments/safer_copying.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - ssh and local connection plugins now attempt to preseve or keep strict file permissions on transfers.
+  - copy, assemble, unarchive and uri actions will not force executable permissions on files anymore.
diff --git a/lib/ansible/plugins/action/assemble.py b/lib/ansible/plugins/action/assemble.py
index 6d0634c4857..3a11d061ee1 100644
--- a/lib/ansible/plugins/action/assemble.py
+++ b/lib/ansible/plugins/action/assemble.py
@@ -146,7 +146,7 @@ class ActionModule(ActionBase):
                 xfered = self._transfer_file(path, remote_path)
 
                 # fix file permissions when the copy is done as a different user
-                self._fixup_perms2((self._connection._shell.tmpdir, remote_path))
+                self._fixup_perms2((self._connection._shell.tmpdir, remote_path), execute=False)
 
                 new_module_args.update(dict(src=xfered,))
 
diff --git a/lib/ansible/plugins/action/unarchive.py b/lib/ansible/plugins/action/unarchive.py
index bcc152d44ca..356d9743a0c 100644
--- a/lib/ansible/plugins/action/unarchive.py
+++ b/lib/ansible/plugins/action/unarchive.py
@@ -97,7 +97,7 @@ class ActionModule(ActionBase):
 
             if not remote_src:
                 # fix file permissions when the copy is done as a different user
-                self._fixup_perms2((self._connection._shell.tmpdir, tmp_src))
+                self._fixup_perms2((self._connection._shell.tmpdir, tmp_src), execute=False)
                 new_module_args['src'] = tmp_src
 
             # execute the unarchive module now, with the updated args (using ansible.legacy prefix to eliminate collections
diff --git a/lib/ansible/plugins/action/uri.py b/lib/ansible/plugins/action/uri.py
index 9860f2683b3..ee1c800ed6d 100644
--- a/lib/ansible/plugins/action/uri.py
+++ b/lib/ansible/plugins/action/uri.py
@@ -52,7 +52,7 @@ class ActionModule(ActionBase):
                 tmp_src = self._connection._shell.join_path(self._connection._shell.tmpdir, os.path.basename(src))
                 kwargs['src'] = tmp_src
                 self._transfer_file(src, tmp_src)
-                self._fixup_perms2((self._connection._shell.tmpdir, tmp_src))
+                self._fixup_perms2((self._connection._shell.tmpdir, tmp_src), execute=False)
             elif body_format == 'form-multipart':
                 if not isinstance(body, Mapping):
                     raise AnsibleActionFail(