Is there a way to isolate sites on a single server so to avoid malware propagation from one site to all others?
In what way? Not sure what you mean
Maybe like each cpanel on a WHM has its user account, so even if you break into one cpanel you can’t easily go to all others on that WHM.
Sure. Use different servers. At $5 a site on Digital Ocean, that would be the absolute best separation. Otherwise, no, there isn’t a built in way to separate sites. I assume you mean by system users, as that’s generally how shared hosting works.