The www-data user (or whatever the web server is running as) should not own any files that are served by the web server. The user should not be able to log in either (its shell should be /bin/false or something similar).
Use an entirely different user for file ownership.
Use an entirely different user for file ownership.