Proftpd has a built-in sftp server that would allow you to completely segregate users from sshd for the purposes of file transfers. You can set it up so that it uses a completely separate passwd file to even further isolate them (it’s hard to login to a system with ssh and break through a chroot if you don’t actually have a user in /etc/passwd …)
proftpd also allows you to chroot and isolate the sftp user to a set of directories pretty easily.
We do something like this:
LoadModule mod_sftp.c
<VirtualHost 10.1.1.217>
ServerName "ftp.example.com"
# from http://www.proftpd.org/docs/howto/NAT.html
MasqueradeAddress 1.2.3.4
PassivePorts 27001 27050
UseSendfile off
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
AuthUserFile /etc/proftpd/AuthUsersFile
AuthOrder mod_auth_file.c
<IfModule mod_sftp.c>
Port 10022
SFTPAuthorizedUserKeys file:/etc/proftpd/ssh_authorized_keys/%u
SFTPEngine On
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/proftpd-ssh_host_rsa_key
SFTPHostKey /etc/ssh/proftpd-ssh_host_dsa_key
MaxLoginAttempts 6
</IfModule>
</VirtualHost>