Definitive wordpress directory ownership and permissions on linux

I know there are a thousand questions about this all over the place and trust me I've been trying every possible solution for years [not an overstatement] and each and every one is either missing a crucial piece or simply doesn't work [in my experience].

I'm looking for a solid, complete, and open minded solution for the wordpress directory user / group ownership and permissions on linux. The requirements are the ones that I think everyone should be looking for: state of the art security, auto-updates, and sftp access.

The facts - if I'm not missing anything - are fairly straightforward: if we configure ownership of the web directory [in my case /var/www/] to a dedicated user [meaning not the webserver user - which in my case is www-data], as in: wp:www-data, wordpress is able to install themes and plugins but not to auto-update itself [security issue], even with fs method: direct;

if we attribute everything to www-data, as in www-data:www-data, files are owned by the webserver user [security issue];

and to access everything through sftp, even if we setup chroot, bind mounts, and access with a dedicated sftp user with whatever comination of user / group nesting [sftp being a part of www-data, sftp and www-data being a part of the same group, and so on...], files uploaded via sftp are created as the sftp user and even with the most complex ACL rules and excluding periodic chown / chmod scripts [which are absurd] ownership and permissions are always wrong.

I am astonished I haven't found a more obvious solution up until now. How many insecurely configured web servers are there out there? I'm sure the solution is out there and that you guys can help me figure this out. Thank you so much in advance! :)