Currently the permissions are 644 with root the owner and group. (...) (1) Who should own these files?
If it's user changable files, a lesser-privileged one. If you've got userdirs within the chroot you could chown files to them, if you're using a webserver like Apache, you've possibly got an inert Apache account, so you could chown files to that or the nobody account. Permissions should be sufficient enough for the server to serve and the users to change.
(3) Is this a security risk?
Depends on what files you mean and who needs to be able to change em.
I am not sure about the security of the chroot if files belong to root.
Executables, config files (files you don't want to be edited by non-privileged users) are usually owned by root. That's no problem. What can be a problem is allowing stuff in the chroot that is not supposed to be there. The fact the files reside within a chroot can only be counted as "mitigating circumstances" when the jail is sealed. No linking outside, no mount binds, no mounted /proc, minimal /dev/, no setuid root binaries, not allowing people to create devices or setuid root binaries.
If unsure about chrooting, check out the
LQ FAQ: Security references.