genfstab should use more restrictive permissions for boot or possibly just EFI partitions
As a feature request, genfstab should probably be in line with one or more boot manager packages that expect the /boot or /boot/efi partition to be root accessible only. I see it defaults to the following parameters for vfat partitions:
rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
For some or possibly all vfat, or at least boot or EFI System type partitions, it should probably default to fmask and dmask of 0077 instead.