So. It turns out Django has a limit on upload size of 2.5M. If a file is larger than 2.5 it goes straight to a temporary file, is manipulated and then copied over to the /Media folder. Files saved from memory have the permission of the owner (644) but files saved from the temporary folder have (644). Adjusting FILE_UPLOAD_PERMISSIONS allowed me to change this so the permissions are correct.

However, while looking through the images, I noticed that I'm very findable using the exif information uploaded with the images. The weird thing about that is opening an image with Pillow (django's image handling module) and then saving it again strips all the exif information from the image. So, it's clearly not that manipulated when the image is initially uploaded.

So... steps that have to be taken.

1.) Fix it so that images are correctly rotated upon upload. 2.) Strip the exif information from the images.