Sven; tx again, for your reply...
my only interest is sftp - so maybe scponly/rssh is worth looking at.... i've ruled out proftpd on the port 22 issues alone. so failing rssh, i guess i'll just have to deal with added directory layers, and "stock" openssh; though still toying with idea of mysecureshell; have used it previously with good results, but really wanted to try to stay true to the dist. this time around.... actually just had a thought - i didn't try doing a root:root chmod 750, and then over-riding with a group-specific acl. wonder if chroot would behave well in that "cross-circuit"... :-)