The issue you're dealing with in that case is this change in PostgreSQL-15 discussed in this blog:
https://www.cybertec-postgresql.com/en/error-permission-denied-schema-public...
If you have a Mailman-only host, with a Mailman-only PostgreSQL, or The Cabal of equally responsible maintainers are the only people who work on the Postgres cluster, the two approaches are basically equivalent.
My take is that the default "right thing" is to transfer ownership of the 'mailman' database to the 'mailman' user, and use "GRANT ALL ON SCHEMA public TO fred" in the case that you don't want to give "sudo mailman" to Fred.
Rationale: I believe there are a number of things that the 'postgres' user can do that other users cannot, and you probably don't want random contractors or new volunteers to have those privileges. On the principlee that 'postgres' should only do those things that only 'postgres' can do, you want to make the 'mailman' user the owner of the 'mailman' database (and 'mailmanweb' too if you go that route). Then if you have a user 'fred' who may be working on both mailman and non-mailman databases in a session, then instead of giving sudo mailman to Fred, 'mailman' can grant all on schema public in mailman to 'fred'.
It's a really fine difference, and probably will matter to almost nobody running Mailman 3. I do think
user 'mailman' owns the 'mailman' databaseis conceptually simpler than
user 'postgres owns the 'mailman' database and 'mailman' has ALL privilege on the PUBLIC schemaRight?
=== From the blog === ...almost any privilege escalation attack on a PostgreSQL database requires the attacker to create malicious objects. ... The public schema is the perfect vector for such a privilege escalation attack. ... In version 15, only the database owner can create objects in the public schema.
The user mailman has its plain text password written into the mailman.cfg file. If that is a potential weakness, would making mailman NOT the owner reduce vulnerability by a degree (in that objects could not be created in the public schema by using mailman's credentials)? Of course I would have a whole world of other problems if those credentials were misused, so I guess it's a bit theoretical anyhow.