I am not sure I understand the question my self, but here is my "penny",
The user would not be able to do anything that can harm the system,
and will be able to access using ssh, log in , as all ready mentioned they
will be able to read,write files in their dir only, /home/username/
If they know the root password, they can use 'su' , and become root, so if you do not want them doing anything as root, do not give them the password.
I don't know much about sudo, don't use it myself, but the same , (I think)
you would not want to add them to sudo group.
If you want to allow them to be able to write files , for example, in the
/var/www/htdocs, they would need to have special permissions, and be a member of a group allowed read/write access to those dirs, or be able to use 'su', to be honest I am not sure my self, on how you would set it up
so they could for example:have a home dir inside the /var/www/htdocs,
where they could add a index.html, etc, and create their own web site.
It might help if you clarify exactly what privileges you want to give the user,
and what areas they would be allowed access to.
If your concern is only that they can not do anything that could harm or change system files, your ok there, when the newuser is added, the default
does not give them any privileges outside of their home dir and tmp files,
as mentioned by Segfault .
So in a nut shell, as long as they are not a member of 'sudo', and do not have the root password, your ok.
==========================
A little off topic, but anyway:
I don't think Linux or Debian has a option for 'doas'
DOAS(1) General Commands Manual DOAS(1)
NAME
doas - execute commands as another user
SYNOPSIS
doas [-Lns] [-a style] [-C config] [-u user] command [args]
DESCRIPTION
The doas utility executes the given command as another user. The command
argument is mandatory unless -C, -L, or -s is specified-----snip---
In a way, I guess it is similar to what you all do with sudo, but anyway
way I find it usefull on OpenBsd, and use it , instead of all ways using 'su' and logging in as root. One can give a user specific permissions, in specific
directories , etc.