Update: my logs indicated that it's related to Imunify 360
Sure enough, I went to the Imunify 360 settings panel in cpanel and then to its Proactive Defense section. There, I could see a list of failures. I went to the first error (a block) and clicked the gear and chose "ignore detected rule for the file" which adds the rule to the Ignore list.
After that, I was off to the races and was able to run updates and installs. Hope that applies to some of you other folks, too.
Some more info. This appears to be server related, not Drupal core related.
I tried it on an account running on CentOS v7.9.2009 STANDARD xen hvm and it works flawlessly (running Drupal 7.97)
For me, it fails on a server running CloudLinux v7.9.0 STANDARD standard. Not sure if that is useful info.
It applies to new module installations, too. The installer is able to create the new module directory within /sites/all/modules and even a sub-folder within the new folder and both have 755 permissions. It also creates a single zero byte file (644) at which point it craps out.