As each virtual host uses its own php-fpm pool, the following is possible:
php-fpm.conf:
[php-username1]
user php-username1;
group www;
.....
[php-username2]
user php-username2;
group www;
.....
Then your php-fpm init script should start php-fpm with umask 0077. It means that php-fpm will create files owned by user defined in corresponding php-fpm pool, and new files will have 600 permissions (folders will have 700 permissions). It means that only appropriate php-username* process will be able to write to files in the corresponding pool/virtual host document tree.
Then suppose your users use FTP service to upload/change/delete files and folders in their document root (virtual host document root). Similarly, you should configure default 0077 umask in your FTP server, so that new files created by FTP service will use the same permissions and the same owner/group as the files created by the PHP-FPM process.
Then all your web users will not be able to access anything else outside their document root, unless permissions are given specifically to allow access. "open_basedir" setting per php-fpm pool or jailed root environment may restrict them even further, so they truly cannot access anything beyond their document root level.
Hope this helps,
Andrejs