Understanding ALTER DEFAULT PRIVILEGES Behavior in PostgreSQL

Hello PostgreSQL Community,

I was experimenting with default privileges in PostgreSQL and came across a
behavior I didn’t
fully understand. I would appreciate any insights on this.

I wanted to ensure that, by default, no roles had EXECUTE privileges on
functions created in my
schema. To achieve this, I ran the following:

postgres=# CREATE SCHEMA my_schema;
CREATE SCHEMA

postgres=# CREATE ROLE alex LOGIN;
CREATE ROLE

postgres=# ALTER DEFAULT PRIVILEGES IN SCHEMA my_schema REVOKE EXECUTE ON
FUNCTIONS FROM PUBLIC;
ALTER DEFAULT PRIVILEGES

postgres=# CREATE OR REPLACE FUNCTION my_schema.hello_world()
RETURNS TEXT AS $$
BEGIN
RETURN 'Hello, World!';
END;
$$ LANGUAGE plpgsql;
CREATE FUNCTION

postgres=# GRANT USAGE ON SCHEMA my_schema TO alex;
GRANT

postgres=# SET ROLE alex;
SET

postgres=> SELECT my_schema.hello_world();
hello_world
---------------
Hello, World!
(1 row)

To my surprise, alex was still able to execute the function hello_world,
even though I had
altered the default privileges before creating it. I was expecting the
function to be inaccessible
unless explicitly granted permissions.

Could someone help me understand why this happens? Also, what would be the
best way to
ensure that, by default, no roles (except the function owner) have any
privileges on new
functions created in my protected schema?
I know about REVOKE ALL ON ALL FUNCTIONS IN SCHEMA my_schema FROM public but
this won't work for the functions created after this revoke statement.

Thanks
Ayush Vatsa