apetersson, I think that having privkey in the url creates more issues than it solves (it does not solve the trust issue itself, and may create additional nasty edge cases)
please explain to me what these edge cases are.
if the secret part of the url can leak, it is certainly equally bad as an attacker can empty the wallet.
by not keeping the actual private keys on your server only in memory for a short amount of time you avoid many hacking problems.