1. How should users and groups of nginx, php-fpm, project be distributed? (i.e. from whom the process is launched, and who belongs to which group)

already properly distributed.

2. Where should the project folder be located correctly, under whose rights and what permissions for files and folders should there be?

It is desirable to have a separate dedicated section so that you can tweak all sorts of nosuid, nodev in the mount options. Although it will do. The nginx user or whoever else is there.

3. Do I need to disable SELinux?

Not necessary. If you know how to cook it, then everything else is not needed.

4. Or am I doing everything wrong and docker should be used?

The isolation that docker provides is not its main function.

3. Do I need to disable SELinux

In general, the question is incorrectly posed. It should never be turned off unless there are specific preconditions for doing so. In your case, you are using well-known software, which is good for SELinux. It may be necessary to understand the SELinux setup. But to understand and "need to turn off" different things.
Again, it is necessary. So you can get to the point that "you need to use Debian, not CentOS". It was correctly said above that docker is not primarily focused on ensuring the security of the configuration.
Minimum for VPS security you need:
1) access by key, not by password;
2) firewall, allowing only what is needed (ssh, http, https).
And google about secure nginx, something like that.
Those. it is necessary to protect, starting from the points to which the rest have access. And these are open ports to services that you cannot close from others.