I'm used to working with Apache and php-fpm.
With Apache, when I create new vhosts, I create a new user. That user has ownership of the docroot.
I then create an fpm pool for that user. And when I configure that pool:
* I set the user/group of the process to be the new user
* I give the httpd...