I can relate my experience with one scenerio where limiting access for some users is needed. I use the newish SSH capability to invoke an internal-sftp server in combination with MatchUser directive in sshd_config, forcing the user to use this sftp instance in a chroot. I use this for allowing people access to the web root when we are working together on a web project, but they don't need access outside of the web root or full shell access.
Code:
AllowUser ______
Subsystem sftp internal-sftp
Match User ______
ForceCommand internal-sftp
ChrootDirectory /var/www
# copied note from forum on how to make sure this works:
# This is quite simple really, it’s stat()ing the directory specified for
# “ChrootDirectory” and all its parents up to / and checking that they are:
#
# * owned by root
# * not group or other writable