Looks like the raw transactions API could be useful to run a connected client, but keep signing keys elsewhere. (Elsewhere = only  occasionally connected in some limited hardened way.)

This would be easier if the connected client was able to 'listunspent' outputs available to arbitrary addresses.

Is there a way to register watched addresses in the standard client?

Or, could 'listunspent' be extended to take any non-wallet address as an optional parameter?