cgroups sounds like the ideal way (not possible in Docker; but that’s another story).
While NOT ideal, this could be implemented outside of Hestia, as a “brute force” hack:
Have a separate process that simply checks all users processes and employs cpulimit if they are using a predefined amount of CPU for a predefined maximum duration. For instance; running (as root):
ps axo pid,user:32,%cpu,%mem,cmd
Reveals the process id, username, and their resource usage. Tracking this and employing cpulimit could be done. Would anyone be interested in such a running script in the background?