It appears that when pg_ctl gets a stop request for a given directory, it looks for a pid file in that directory and signals that pid to stop. It doesn't appear to check that the pid is for a PostgreSQL postmaster running out of the given directory. I think it should, although on a quick scan of the code, I didn't see a convenient way to do that.
I have some evidence that when we attempted to stop a PostgreSQL instance which (it turned out) had died without cleaning up the pid file, it actually stopped another instance which was using a different data directory but had wrapped around to the same pid.
I guess if we ran each instance under a different OS user we would be protected from this, but that we hadn't thought that was necessary. Besides, we have other processes running under that OS login for maintenance or as part of the recovery processing.
-Kevin