LAMP Stack - Multiple Websites Isolation

I would like to host multiple websites on a VPS (LAMP stack - Ubuntu 20.04 LTS). For security reasons, I'd like to properly isolate each website/vhost from each other and also prevent access to other/system files. This shall mitigate the risk of website visitors exploiting a vulnerability of one website to manipulate files of other websites or access arbitrary files on the system.

1. Prevent access to other/system files:
   • Apache: The DocumentRoot directive specified in the virtual host config file of each website sets the directory from which Apache can serve files [1]. Is this sufficient to prevent Apache from accessing files outside of the DocumentRoot (e.g. /var/www/site1, /var/www/site2)? Because technically the Apache user (www-data) has read access to other files on the system as well. But I guess these are two different things? Meaning, Apache is programmed in a way to only serve files from specified directories to website visitors and Apache itself wouldn't serve any other files even though it has the required privileges to access/read other files on the system as www-data?
   • PHP: The open_basedir directive limits the files that can be accessed by PHP to the specified directory-tree [2]. Is it sufficient to set this directive to /var/www/site1 in the vhost config file of website 1 (/var/www/site2 respectively in the vhost file of website 2 etc.) to prevent PHP from accessing any files outside of these specified directories? Furthermore, if I limit PHP's access to files in this way, do I also need to specify directories other than the websites' root directory for PHP to work properly?
2. Prevent websites from being able to access each other:
   • Apache: Is it possible to create isolated Apache processes/users for each website? When I did my research, the same Apache user was used for all vhosts. Does this mean for websites to be isolated from each other, Apache doesn't need to be separated?
   • PHP: From my understanding, separate PHP-FPM pools can be used for each website to completely isolate them from each other (isolated PHP environments). Is this correct? Would I also need to create folders for each website to store their respective PHP session data? Or is PHP session data isolated by default, i.e. unique to each website (unique to each domain and also subdomain)? I don't want a situation where two websites share the same session data. For example, if I have two subdomains sub1.example.com and sub2.example.com and both sites have WordPress installed, I don't want a user who logged in on sub1 to be automatically logged in on sub2 as well.

I'd be grateful if someone could tell me if these measures would be enough to securely isolate multiple websites hosted on one server - if not, please point out the things I've missed.

Lastly, I suppose using the same MariaDB database server for all websites is alright? For each website I would create a database and a respective database user.

Thank you in advance for any responses!

In 2022 the almost perfect isolation is possible with Docker. I'd not bother with trying anything else, seriously. Everybody went this way, you will find a wide community and commercial support.

For instance, there is a Docker image with Wordpress already installed which was made by the Wordpress developers, so you can just use it and not bother with configuring PHP and Apache.

What you will need besides that is a reverse proxy which will detect requests to different websites and direct them to different containers.

I don't want a user who logged in on sub1 to be automatically logged in on sub2 as well.

This is entirely different kind of concern. It doesn't depend on isolation of processes from OS standpoint, rather it depends on the browser behavior when sending cookies (e.g. which cookies to send where). I suggest to ask about this part at Webmasters.