PHP

How to properly share rights on one VPS for several sites and users?

Good afternoon.
The problem is this:
We rented a good VPS in half with a friend. There will be several sites on the server. Half of the sites are mine, half are my friend's.
For security reasons, I want to correctly configure the nginx + php5-fpm bundle so that the owner of one site cannot access another site. Strongly no one is going to break into other people's folders, but the developer of another site hosted on the same VPS or someone who hacks any of the sites on the VPS can conditionally gain access to the site. I do not want to fence any virtualization, otherwise there is no point in dividing hosting into two.
So far I have a solution like this (but it solves only part of the problems).
For each site I create my own separate php5-fpm pool, hang it on a separate port and run it from a separate user.
For example:

[host1]
listen = 127.0.0.1:9001
user = user1 
group = user1
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 4
...
chdir = /
php_admin_value[log_errors] = on
php_admin_value[upload_tmp_dir] =    /var/www/$pool/mod-tmp/upload_tmp
php_admin_value[session.save_path] = /var/www/$pool/mod-tmp/sessions
php_admin_value[error_log] =         /var/www/$pool/logs/php-errors.log
и т.п.

Further, nginx, depending on the server_name in the locations, makes a redirect to the proxy. For example:

fastcgi_pass   127.0.0.1:9001; 	# - на один php пул, который работает от пользователя user1
fastcgi_pass   127.0.0.1:9002;  # - на другой php пул, который работает от пользователя user2

The questions I've already encountered.
Nginx runs as the www-data user and distributes static for all sites.
This means that all files owned by USER1 must be readable not only by USER1, but also by other users. If I set permissions on the files, for example 0775, then the user USER2 will be able to read the files of the user USER1. And if I set permissions to 0770, then nginx will not be able to load statics. Those. while it turns out that a user of one site, knowing the structure of another site, can access an arbitrary file, even though the owners of the files are different.
The second problem is that user USER2 can make a symlink, for example, in the root of the site, for example something.css -> /$homedirs/user1/$site/config.php. And then nginx will easily give away "someone else's secret files" containing, among other things, passwords. It is possible to forbid nginx to follow symlinks, but this increases the load on it and links are sometimes used for "legitimate" purposes.
Partially, using chroot in the php5-fpm pool settings could help me. Whether this will solve the issue with symlinks, I don't know. But I got another problem. One of the sites (a phpbb forum) gave the following error when using chroot

Can't connect to local MySQL server through socket '/var/run/mysqld mysqld.sock' (2) [2002]

The meaning is clear that php cannot access the socket outside of the chroot. So I have a choice either not to use chroot or to solve the problem with connecting to Mysql. Although the phpbb settings indicate a connection to Mysql via localhost on port 3306 (there are no settings anywhere about sockets), for some reason a message is issued about an error accessing the socket. I can't force Phpbb to connect through the port.
I have experience only setting up VPS for one user.
Therefore, I would like to either get a comment on the specific problems described, or get advice on how to properly divide hosting into several sites.