First, the answer to the unasked question: You can keep your users separate via permissions set for users only allowing access to specified tables and preferably limited to INSERT, UPDATE and DELETE actions.
A1. Of course you should be concerned about protecting user data as, with access (via a PHP script) to files outside the webspace, they can do anything with that including accessing your login script, not just others files. With no way for Apache (or PHP) to differentiate your users from you, they will have all the permissions you have.
You think PDFs are safe? What about the JS contained within the PDF files? They are security issues and have been for some time. I will only allow my clients to upload JPG or GIF images to the upload directory and move them to their website only after recreating the image anew with GD (copy image then resize) for the belief that GD will not pass along any "payload" embedded in the images.
A2. No, you should NOT use the same username and password for your users! As mentioned in response to the unasked question above, keep your db users separated by the tables they're allowed to access (with very limited access). Anything beyond that is "professional suicide," IMHO.
Okay, you're thinking like a host, not a hacker. Change your hat and consider the things you could do to hack your site the way you've suggested configuring it. If you can think of the patches necessary to block those hacks, you've probably discovered 10% of the hacks good hackers can exploit so my recommendation is to GET PARANOID! You've taken the first step by asking your questions, now try to "break it" and see how far you get as your own "black hat" (okay, "white hat" as you don't want to damage your computer or its files).