… or “confine untrusted users to their home directory (and give them no shell access as well)”

Let’s create an unprivileged group for our purposes:

groupadd sftp-only

Then, create an unprivileged user ${USERNAME} and add it to that group:

adduser --ingroup sftp-only --shell /bin/false ${USERNAME}

If you need to “jail” an already existing user, just change its shell and group as follows:

usermod -s /bin/false -g sftp ${USERNAME}

Now edit /etc/ssh/sshd_config as follows (append at end of file):

Subsystem   sftp internal-sftp
Match Group sftp-only
    ChrootDirectory %h 
    ForceCommand internal-sftp
    AllowTcpForwarding no

Now set owner and permissions to user’s home directory, in order to avoid the creation of new files/directories:

chown root:root /home/${USERNAME}
chmod 0755 /home/${USERNAME}