I set the DocumentRoot in Apache to $HOME/web for each virtual site. You need to make sure that /home/username has 711 permissions, and that /home/username/web has 755 permissions. That way when users connect with FTP or any other method, they end up in their home directories and far away from /var/www.
If you want to increase the level of security between users, put the www-data user in each website user's group, then set /home/username to 710 and /home/username/web to 750. Now the Apache user can read the files, but no one else can.