How to get MySQL server to bind to localhost only on Ubuntu 20.04 LTS?

Using the apt package managed version of MySQL server on Ubuntu 20.04.3 LTS with a default MySQL installation.

netstat shows MySQL server as being bound to the public IPv6 interface:

tcp6       0      0 :::33060                :::*                    LISTEN      2485/mysqld
tcp6       0      0 :::3306                 :::*                    LISTEN      2485/mysqld

However, /etc/mysql/mysql.conf.d/mysqld.cnf shows (commented lines removed for brevity):

[mysqld]
user            = mysql

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1
mysqlx-bind-address     = 127.0.0.1

I have iptables and upstream firewall rules in place that deny external access to unapproved ports like MySQL, but I'd prefer that MySQL itself is bound to the correct interface on the system as per the configuration file.

On another system that was upgraded this year to 20.04.3, the configuration files are virtually identical and netstat shows:

tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      1349/mysqld
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1349/mysqld

Solved it by changing the permissions on /etc/mysql.cnf to 0644. I guess MySQL server doesn't like it if that file is marked as world writable/executable. It was marked as 0777 and I most definitely didn't do that. It was installed on the system that way from the mysql-server apt package.

This probably means that there are currently (as of Dec 2021) a bunch of Ubuntu Server 20.04.3 LTS systems out there that install MySQL via apt and accidentally open port 3306 to the world. Since there is no root password by default, it also likely means that MySQL can be quickly compromised from a remote system.