Best pratice for VPS setup and administration (web/ftp/ssh)
I deploy all my web content via SFTP, SCP, or by editing on the server (or through the CMS I've employed). FTP, per se, should not be needed.
Second - if you have user and group permissions correct, they won't be able to browse into other folks' websites via the commandline.
Certainly being able to login via SSH should be allowed, though, for exactly the reasons you stated.
I personally wouldn't let folks "tweak" their own php.ini files - I don't on the VPS I run in similar fashion to yours (ie, host a few sites for myself and friends). It's your server, and you're the one who's allowing others to use it: so let them use it according to your rules. I can't think of a shared hosting provider I've ever looked-at that allows people to tweak their php.ini settings.
What it's going to boil-down-to at some point, though, is trusting your friends to NOT do something mean/stupid/cruel to each other.
If you can't trust them - I wouldn't allow them to have access outside of a CMS.
For example, I set my different user's web roots thusly:
drwxr-x--- <user> apache
That allows apache to see and server content, but only the user can make changes.
I've run a host for many, many years now. A few things I've found out in that time is that if you allow your users to run CGI scripts, it's more or less "all bets off." They cannot always do things unintended, but chances are you will feel the pain later for allowing this.
For one, you have drastically increased the security hole chances. I've had users install phpBB (under my suexec wrapper) and then never upgrade it... I've had people write CGI scripts themselves which were security holes waiting to happen -- only lack of popularity prevented it.
I put each user in their own group. It came in handy when I made a user for a purpose (like a MUD, back when those were popular) and the owner of the MUD could then tweak files using the group permissions.
In any case, if you're willing to help and willing to spend the time to ensure that people aren't doing bad things, most of this is pretty easy. Just takes time away from better things IMHO.
I'd go with PHP-FPM and nginx, it's the way I've gone with my 20 or so PHP dedicated servers, in that way you can obtain both your objectives, PHP will run under the "pool" defined user, and your users can tweak their php.ini (although it will be called .user.ini, in their document root), without getting in the hassle of configuring suexec. https://www.vultr.com/docs/use-php-fpm-pools-to-secure-multiple-web-sites
If you decide to run PHP-FPM with Apache HTTPD, I'd suggest to use mpm or event worker instead of the default prefork worker. https://www.digitalocean.com/community/tutorials/how-to-configure-apache-http-with-mpm-event-and-php-fpm-on-ubuntu-18-04
However, PHP-FPM works ONLY for PHP, if your users want to execute other CGI, you will have to configure suexec all the same.
I'd avoid FTP like the plague, in favor of FTPS or better, SFTP which is already installed if you have SSH.
With SFTP you can chroot users to their home directories, via group match or direct user match, you can force your users to use a RSA key instead of a password (more secure), just by tweaking your sshd_config, https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/
Even more, with chrooting you can decide if your users should have SSH access or SFTP-only.
Finally, allow me to share the wisdom my old system administrator shared with me while teaching me (read with the voice of Samuel Jackson):
your users are your enemy,
they will put crap on your server,
they will fill it to the brim,
they will use every watt of power it has,
they will try to access what they shouldn't,
you are ultimately responsible for your server
and what they do with it.
Of course, if you shared more specifics, like for example the OS used on the server, we could help more, since these are the settings that are in different places on most distros.