Each website is in it's own individual user accounts

Virtual host root in user account home directory (like w/CPanel and Plesk)

Privilage separation handled by PHP Fast Process Management (FPM)

Apache still serves all non-PHP files as 'www-data' user, but no issues there