What exactly are you talking about? There are users and then their are web site visitors. If you don't want other users to read files, then on a file by file basis set the public permissions to 0.
In other words instead of 644 use 640 for data files.
As for as web site visitors, don't put the data files in a web-accessible directory. What I mean is put them in /home/username/data instead of /home/username/example.com/data - also make sure any CGI scripts can't be used to modify these files, such as a "file editor" for a blog/CMS application.
You can use a per-directory configuration file in an attempt to get the web server to block requests for certain types of files - but guess what happens if your .htaccess file goes missing.
openvein.org -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7