And what do you mean by "infecting the site with a virus"?
The virus infects the operating system, and if the infection occurred under administrator rights (well, or root'a ... I don't know what is closer to you), then only the antivirus will save it, which ideally should prevent this.
On the site, you can only expect the use of some standard exploit ("holes" in the CMS, for example), or an error in the code, through which extraneous files will get into the site folders (for example, they will replace /index.html, or lines with foreign files will be added to your html js codes), but this does not infect the system and does not affect neighboring sites, your site will give these files to visitors, and what will be displayed in the visitor's browser and downloaded to the visitor using them is another matter. All problems obtained with the help of exploits are likely to be limited to DOCUMENT_ROOT, i.e. will not leave the site.
It is possible that you have a common CMS for several sites and an attack on the CMS will allow you to gain access to all sites controlled by this CMS. And here the distribution by users will not save - the CMS must have access to all sites.
Distribution of rights to site directories is a completely normal practice, but it is intended specifically for the distribution of user rights to site folders, but not to prevent infection.

Docker) Good thing.
If you're so worried.

Put https://vestacp.com/ for each site of an individual user, and you will be happy.

Well, for this there must be some special antivirus programs.