You can make the "superior" user a member of the default group for the user, and set the umask of the sandboxed user to allow group write by default.

Though that doesn't help malicious/"odd" use cases that can just reset the umask, or otherwise remove the group permissions from the subuser's files.

Or just use posix ACLs? Though you may then need to disallow the subuser from just removing them, maybe through seccomp?