Yes, this is "their fault". It's a poor design on a shared host since, as you're finding, as it causes users to have to do strange things WRT permissions. It can also make it a royal pain to delete those files, since they will normally be chmod'ed 644 and chown'ed to nobody. Then you have to run a CGI script to chmod them to 666 so your user account can delete them (since CGI runs as nobody it is the only user level account that has write access to these files). If time/money/whatever aren't an issue, you might shop for a new ISP who runs Apache CGI as the actual user instead of nobody. This protects your data both from external browser viewers as well as other users on your shared host.

The suggestion about storing these files outside the docroot for your CGI/web directory is also a good one, otherwise anyone who can guess the URL can see these files unless you take pains to change the permissions to something like 600.

FWIW, I would be just as paranoid about access by other users of the shared host as I would by the web at large. Unless you know all those people, you have no idea what they'll do with the data in your directories.