Apache virtual host files & directories writable by web user - how can this not be a risk?

During testing I have noticed that, side by side with nobleness of automation of creating all things associated with vhost and website, I’ve got PHP scripts being run by user that owns files and folders under the newly created vhost, instead of www-data or apache2.

That means following: hacked (for example) Wordpress may plant webshell programs to vhost directories. Not just that, it may alter legal files and inject malicious content.

I have to say I haven’t had setups like this before - scripts were run by web user (apache2 or www-data) and owned by their system users, precisely in order to make mentioned scenario impossible.

Now, I’m not smarter than folks that have developed this - so I’m asking:

what can be done to reduce/contain/minimize obvious risk of this setup / is there a Virtualmin magic feature that keeps this under control?

Thanks in advance.