I have 15+ years of experience with unix/linux, vps and wordpress, I understand how unix permissions work and I have my own brain to figure out what is safe, so I don't need to read discussions about this.
Any php script, accessed through http(s) can write to any file owned by www-data (unles it has the write bit is set to 0, which in your case id doesn't). This means that if anyone who has administration rights uploads a plugin that is infected, or if the wordpress repo is hacked, or a premium plugin update site goes into the wrong hands (happend many times), the attacker can throug an infected file do whatever he pleases to your php files throughout all your server.
Anyway, I am not even asking you to do things my way, I am just asking you not to reset file ownership on all sites every time a new site is created. Why is this a problem.
(I updated your script myself, but I'd like to be able to upgrade without having to reaply my patch every time)