On a privately owned server with one website, is there any reason the files/directories within /var/www can’t be group owned by www-data?
My understanding is that security risks with www-data having write access only arise if you have multiple websites running on the same box.
The principle of least privilege applies. Only give users the rights they need and no more.
In this case, if apache is only serving up pages, give the user acct no rights to edit. Possible risks include: changing file content or uploading new one; adding executable code to files, etc. These risks exists regardless of whether it is a single site up multiples. If the application has a need to edit a specific file, restrict permissions changes to that file.
Check more discussion of this question.