With ProFTPD the exclamation means "not."
Your example will play out as: Lock everyone into their home directory except members of group adm.
The most secure method would be DefaultRoot ~ which is without an admin group bypass, which would lock everyone into their home folders including admin group members.
Code:
<VirtualHost 192.168.10.21>
DefaultRoot / wheel
DefaultRoot ~ users
DefaultRoot ~/../../.. site-admin
DefaultRoot ~ !site-admin
DefaultChdir /ftp
</VirtualHost>
The first DefaultRoot says group wheel members default to system root with the "/" character. (This has a different effect in older versions, and it's the reason I had to edit this post.)
With the second DefaultRoot, when a user logs in that is a member of group users, they will default to /home/username. This will be their root, meaning they can't cd .. into a lower directory.
The third DefaultRoot says Site-admin group members are allowed to drop down below their default directory three levels, which is usually system root.
The fourth DefaultRoot directive also states with the tilde "~" and exclamation point "!" that members of group site-admin are NOT locked into their ftp root directory.
The last directive DefaultChdir says: If /home/username has a subdirectory named ftp, then default to /home/username/ftp The user can still cd .. down one level.
These directives will work as global defaults or virtualhost settings.
Hope that explains it.