Define a file perms strategy for /data

- many services run as root
- some write content to host's /data
- many read from host's /data
- some services integrates with one another

This is fragile and insecure. We should define rules for the /data tree