So everyone will have their private home directory and a shared drive which only trusted users can write to but all people can read from, did I get that correct? So now you want to secure /home/jovyan/shared and you are not sure how to achieve that best?
Actually I do not know the answer since I have never done such a thing. My first hunch would be to check docker and its integration to JupyterHub whether you can mount that volume read-only for the less trusted users.