Add www-data to the user1, user2 and user3 groups.
Make the directory owners user1, user2 and user3 respectively.
Set permissions to 770.

A little higher Anonym initially gave the wrong advice, but in the comments he himself pointed out what the mistake was. sledopit offers the correct option, but this requires server rights to allow installation of additional modules. There is also such an official module as suexec . But if we are talking about ordinary shared, then such a task cannot be solved in principle (unless the specified modules are already installed there).
But personally, I prefer the nginx + php-fpm + chroot bundle on my servers. For each site, workflows are run with site owner rights, let's say u1:u1. On the root directory of the site is 0710 and u1:nginx, on the folder log 0770/u1:nginx. All other files have permissions 0640/u1:u1, folders 0711/u1:u1. If the file is public, then it must belong to the nginx group. No php of one site can read anything in the files of another.

open console, write
su
password - enter root password
cd /
cd home/
chmod -R 770 www
cd www/
chown -R user1:www-data site1.com
chown -R user2:www-data site2.com
chown -R user3: www-data-site2.com

Look at apache-mpm-itk.
It allows you to run each virtual host as a separate user defined in the config without squatting with setfacl, common groups, etc.

For php there is an open_basedir configuration parameter that allows you to restrict access to scripts inside certain directories.