diff --git a/bootloader/src/pyi_archive.c b/bootloader/src/pyi_archive.c
index 8c923c23dc..18a4be4b89 100644
--- a/bootloader/src/pyi_archive.c
+++ b/bootloader/src/pyi_archive.c
@@ -341,7 +341,11 @@ pyi_arch_extract2fs(const ARCHIVE_STATUS *status, const TOC *ptoc)
         rc = _pyi_arch_extract2fs_uncompressed(archive_fp, ptoc, out_fp);
     }
 #ifndef WIN32
-    fchmod(fileno(out_fp), S_IRUSR | S_IWUSR | S_IXUSR);
+    if (ptoc->typcd == ARCHIVE_ITEM_BINARY) {
+        fchmod(fileno(out_fp), S_IRUSR | S_IWUSR | S_IXUSR);
+    } else {
+        fchmod(fileno(out_fp), S_IRUSR | S_IWUSR);
+    }
 #endif
 
 cleanup:
diff --git a/news/7950.bootloader.rst b/news/7950.bootloader.rst
new file mode 100644
index 0000000000..9166ad502f
--- /dev/null
+++ b/news/7950.bootloader.rst
@@ -0,0 +1,5 @@
+(Linux, macOS) When extracting files from ``onefile`` archive, the
+executable bit is now set only on binaries (files whose TOC type code
+was either ``BINARY``, ``EXECUTABLE``, or ``EXTENSION``). Therefore,
+binaries are now extracted with permissions bits set to ``0700``, while
+all other files have permissions bits set to ``0600``.