1) OJS doesn't ever try to adjust its own file permissions, so it must've been the way you unpacked the files. It's possible that tar preserves permissions when updating existing files from a tarball, but respects the tarball's internal permissions when creating new files, so if some files already existed before you updated and others were created anew, they might have different permissions.
2) Read and Execute by others should both be fine for everything; you might want to consider your cache, submission files, public, and config.inc.php directories/files separately as they contain journal content and configuration information that you may want to keep private.
Best practices will differ depending on how your server is configured and what access you have, so it's tough for us to give comprehensive recommendations on file permissions.
Public Knowledge Project Team