We modify the default Mailman set-up in the following ways:
Symlink /var/lib/mailman/[archives|lists] to /home/mailman/[archives|lists], where the real action is.
For a mailing list mylist@mydom.com owned by user me, we create it by running /usr/local/bin/listnew mylist mydom.com me somepasswd, which runs the following for each value of F in /home/mailman/lists/mylist, /home/mailman/archives/private/mylist, and /home/mailman/archives/private/mylist.mbox:
{{{chmod -R g+s F chmod -R g-rwx F chmod -R u-s F chown -R list.me F}}}
In other words, list, the Mailman user, owns the files. They have the human user's group, but this group is given no more permissions than the rest of the world gets. It's only there as a marker for /home group quotas. The directories are setgid, so that new files created belong to the human user's group.
Change the Mailman CGI scripts in /usr/lib/cgi-bin/mailman to be owned by list.list and to be setuid instead of setgid. These scripts already cry bloody murder if run by anyone but www-data, so this use of setuid should be secure. They let the CGI scripts run as the Mailman user itself, since belonging only to Mailman's group is no longer enough to access the list data.