It seems the permissions on the symlink don't matter.  The problem is that
the file linked to in the store is readable by everyone (which I am ok with
because it's just public keys).

There is a solution with guix system by configuring openssh directly (see
openssh-configuration -> authorized-keys), but there really should be a way
to do this with guix home.  (anyone that can call guix home for my user can
see/modify my authorized_keys anyway)

Maybe this bug should be renamed to something like "guix home cannot
configure authorized_keys"?