Since the original post, I've done some additional research, and think having an account with users in two different default groups was an anomaly of some sort. There's a suggestion open that appears to be "allow setting the default group when creating a user" and I've voted for that.
From the WIKI
there is a note about the SetGID bit on directories - e.g.
chgrp othergroup somedir
chmod 2771 somedir
that will cause the files created in "somedir" to be in the group "othergroup" not (as that text on the groups page implies) in the default group. So, you're right, the shell is required to change the group, but it can be done on a directory so that files later created in that directory (via FTP, say) inherit that group.
That helps some, but, in general, as other threads have pointed out, since
o it's still a shared server
o the web server needs access to the files and
o UNIX file permissions aren't particularly fine grained,
there doesn't seem to be a foolproof way to protect files from other shell users on the system. The best I can come up with at the moment is to use a nonobvious name for the top level directory of the web server, so even if someone has shell access and the name of, say, a PHP file which has the name of a file where passwords are stored, they'd have difficulty finding the first file without read access on the directories above it.