The problem is the ordering of the services which is responsible for the
order in the activation-service-type after folding:
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/system.scm#n808
It currently looks something like this (omitting some things)
activation-service
...
account-service
etc-service
...
privileged-program-service
---
which are added to the folded activation-service in reverse order (one
can check this by looking at the service-value of
(fold-services (operating-system-services %os) #:target-type
activation-service-type)
I think the easiest solution would be to either move the
privileged-program-service-type up or the account-service down.
Because activation-service is above account-service users/groups are
already available for direct activation-service extensions that set
permission/ownership on files
