Why are my FTP users able to access / and other high-level directories?
If your FTP users are able to access / and other critical directories this means they are not chrooted to their specific document root.
If you want the FTP users to be locked to their document root you need to have ChrootEverone set to yes.
You can find the ChrootEveryone option in your FTP configuration file. By default, this is set to yes.
Here you can see the setting in the configuration file:
[root@test ~]# grep -i chroot /etc/pure-ftpd.conf