It's not normally the default, but there's a world of bad advice out there telling people to chmod everything to 777 so that their PHP CMS can upload files.
The situation with default file permissions is already terrible enough that no host should ever have o+x on home directories. And once you remove that, it doesn't matter if everything inside is 777.
Hell, Wordpress recommends against it (and still doesn't do a great job explaining): https://codex.wordpress.org/Changing_File_Permissions#The_da... -- probably because people keep suggesting it. A search for "chmod 777" brings up plenty of examples.
Even chroot will mitigate this, but e.g. reseller types quite often don't have that level of competence.