Account isolation when deploying multiple sites on same server

Is there a way to isolate sites on a single server so to avoid malware propagation from one site to all others?

In what way? Not sure what you mean

Maybe like each cpanel on a WHM has its user account, so even if you break into one cpanel you can’t easily go to all others on that WHM.

Sure. Use different servers. At $5 a site on Digital Ocean, that would be the absolute best separation. Otherwise, no, there isn’t a built in way to separate sites. I assume you mean by system users, as that’s generally how shared hosting works.

I’ll point out that Trellis/VPS hosting is already pretty secure. By default Bedrock doesn’t allow you to edit files in WP or add plugins, so the most someone can do if they gain entry to your WP backed is probably add some malicious JavaScript to a WYSIWYG. There is no cPanel to give them full access. So unless they get shell access then they are still pretty well contained.