Apache SuexecUserGroup and group permissions


I'm having trouble with permissions and ownership on a fedora28 system
with apache-2.4 and joomla-3.9. I'd like to be able to have only the
minimal number of files necessary to be owned by apache and have an
ssh/sftp user have access to read and write every file in the document root.

I'm trying to address three issues:

- Provide ability for ssh/sftp users to write files within the document

- Provide apache with only the minimal ability necessary to write/delete
files, while not being restricted from reading.

- Provide joomla with the ability to write and access files as part of
its normal operation

I've loaded mod_suexec and enabled it with "Suexec on" and configured
SuexecUserGroup to the name of the ssh/sftp user:

SuexecUserGroup ftpuser ftpuser

I understood this to mean that, while apache is running as user
"apache", any writes to the document root would be made as "ftpuser",
but that does not appear to be the case.

Installing joomla modules still fails because it can't write to some
core joomla directories such as ./administrator/cache.

What is the solution to restrict write access by apache to reduce the
chances of some kind of privilege escalation attack should there be an
apache vulnerability, yet provide regular ftp/sftp users with the
ability to write changes as well as joomla itself have the ability to