Can't make samba stay off the executable bit

Question

I have a samba server (it's in an AD domain, if it helps) which is sharing files both with NFS4 (to Linux clients) and SMB/CIFS whatever they use these days. Clients are a mix of Win7 and Win10 machines.

The issue is that very often files saved from the Windows client (mostly pdf and jpegs) have their executable bit set. This is confusing (well, harmless, in fact) for the posix users.

Since it's a mixed environment the idea would be using posix acls (in fact even less often: only a group can access some folder so a setgid on the parent would supply the required 'security'). Ideally there would be no Windows ACL around since these couldn't be enforced by NFS mounts.

I've set all the relevant option seemed relevant in smb.conf (altough their interaction is somewhat unclear)

    inherit acls = no
    map acl inherit = No
    map archive = No
    map hidden = No
    map readonly = permissions
    map system = No
    dos filemode = no
    ea support = no
    acl group control = no
    store dos attributes = yes

also in the folder section I have

    create mask = 0660
    directory mask = 02770
    force directory mode = 02000

And still I get executable files created by the Windows clients! (there is no need to store executable files on that share, either)

Am I missing something? Samba version is 4.13.2