Bitcoin Core should run under a user created specifically for it. You could give your web developer another unprivileged account on the machine, then they would not be able to access your funds.
I wouldn't recommend running Core on the same machine as your other stuff though. You could have a separate machine for Bitcoin that the developer has no access to and one that they can access to develop your shop or whatever.
The OP did not specifically say, but I got the impression that whatever the dev is creating needs to have RPC access.
If the above is true, even if the OP is running a full node on a different server than the production server, the prod server will still need to interact with the RPC.
It is probably best to not allow the dev to work on a production server, or to interact with a production bitcoin node. The OP should give his dev access to a development server in which he can test his code to make sure everything works as intended. Someone working "honestly" could easily accidentally write code that results in something happening in a way that is not what was intended (this is quite common). Using a development server prevents this from affecting the OP's production full node, nor his production server. Once the code is complete, the OP can audit the code and push the code to the production server.
Anyone with access to a RPC server will need the passphrase in order to dump the private key or sign any transactions, so there is some level of protection from the stealing of coin.
Even if the dev does not have access to production servers, it is still possible that whatever he is developing will result in stolen funds from the OP. For example, a dev could make the backend act as if a deposit was received to the OP's wallet if a transaction to bc1DEVaddress....12 is received. This is why it is important to audit any code a dev creates for you.