With LiteSpeed, you can run CGI/FCGI/LSAPI in setUid mode (suEXEC), sentence them into their own jail (chroot), in addtion to PHP safe_mode and open_basedir.
To run all CGI/FCGI/LSAPI for one vhost in setUid mode, usually in the user id of owner of the document root directory, you just change "CGI Set UID Mode" to "Doc root Uid". And you have to define a LSAPI app and PHP script handler in each vhost, not to share the global script handler. As long as the permission of each user account has been set properly, they will not able to peek other's file.
Per virtual host chroot jail has the best security, but is too much for normal installation. LSWS can do that as well, but you have to setup the jail environment for each vhost. Too much trouble.