Changing default umask in an ubuntu 20 docker image/container

I'm trying to make an ubuntu-based docker image that does a bunch of stuff and also creates files and directories on the host from time to time (in a bind-mounted folder). I'd like to set the umask so that permissions end up as desired, specifically to 0007 rather than the default 0022. I'm okay with changing the umask either at image build time or at container run time, though run time is preferred. But I don't want to mess with the entrypoint or the command since those are subject to change and compound commands can get complicated. My test is docker run --rm ubuntu bash -c umask and it always returns 0022. I've tried replacing 0022 with another value in /etc/login.defs, I've tried adding session optional pam_umask.so umask=007 to /etc/pam.d/common-session, /etc/pam.d/common-session-noninteractive, and /etc/pam.d/login, but those don't seem to have any effect. The only thing that works is create a file /etc/profile.d/umask.sh with the one-liner umask ${UMASK:-0022} and that works as long as I run commands with bash --login -c, but it would be great to not have to run a login shell but rather just to pass arbitrary commands to the docker. Ideally it should also be user-agnostic since I am changing the uid to match the host system. What is the right way to change the default umask for a debian image?