If it’s two different users, they should have their own isolated home directories. Yours should only have example.com, and theirs should only have sub.example.com
How is your user accessing your domain? FTP? Are they navigating the directory tree? Are they just ending up in your home directory when they FTP in?
For further protection, make sure you’ve enabled Enhanced User Security: