Let's say, a v9.1 or v9.5 db is created without RESTRICTIVE option. Then, select is revoked from public for all catalog tables/views. This v9.1 or v9.5 db gets migrated (in-place or via a restore) to v9.7. Select is granted back to public during migration. This only happens if the db was originally created without RESTRICTIVE option.

Do you think this is normal?

I don't know if it is normal, but RESTRICTIVE option is useless since it does not even allow access to packages that is needed to execute many SQL statements (such as cursor packages).

I think RESTRICTIVE is useful in their case because their security standards state that public should have no grants at all (I think this applies to all default packages as well but will verify). But not all database were created with this option and migration just grants everything (will verify about packages) back to public. I'm not sure why db2 doesn't revoke what was not supposed to be granted in the first place...

It does apply to the default packages, and makes the database unusable. The DB2 supplied packages are not documented as to which are needed, so the implementation is ridculous. There should be a difference between a user created package, and those used by DB2 internally to run basic queries (select, insert, update, delete). If you turn on restrictive, you can expect outages trying to figure out which ones to grant access for, which is something that many of us cannot tolerate.