This is a very common scenario: you want to setup SSH access for an untrusted user, but strictly limit his capabilities to SFTP (or scp).
Usually the requirements are just two:
- The user can only access your machine to run the SFTP command, no other uses of the SSH service will be allowed for this user
- The user can only access a very restricted environment and not break outside of it (so he cannot access files that he’s not supposed to access)
Depending on the degree of untrustyness, you may also want to avoid DoS attacks on the service, but for this, the best measure is the hardening of the whole SSH service.