How to 100% protect yourself from this?

No way. There is no 100% protection.
What rights are needed?
What rights are needed?
In which directory is it desirable to push the scripts?
What user to run nginx / php-fpm as?
There is no recipe for all occasions, especially one that could be presented, not in the form of a big book, but as an answer to a question. And it's more complicated than you probably think.
But there are a few tips:
You need a qualified administrator who will set up and maintain the server.
An analysis of the application by a security specialist is highly desirable.
There are WAFs that can solve some of the problems of the application, even if they are not known about, and in the simplest case, you can use, for example, Cloudflare, because. to raise such software locally is often expensive in terms of resources.
Well, also, where you can upload files, code execution should be prohibited at the web server configuration level. Those. it is necessary to write normal configs. In your case, everything is actually quite simple - you have only one entry point - index.php in webroot, that's just it should be executed through php-fpm, and not all php files. Well, places where you can’t upload, and this is not some kind of file cache, should be protected at the rights level from the possibility of creating files by the user from whom the php handler is running. Those. the rule must be observed, if something is not necessary, it is forbidden.
Also - no extra software on the server. No phpmyadmin, leaky panels, ftp. Everything outside is behind a firewall. But your admin should know all this himself, in fact, and since you ask this question, then you need it oh, how you need it.

If religion does not allow using shared and panels, then here are scenarios for a more or less secure environment. I hope you understand the meaning.