A public derivation of the masterkey for generating addresses is much better than P2SH enforced.
I respectfully disagree. If the server you use has the only copy necessary to spend your money then you are in an entirely different realm of banking. My solution proposes that you are in full control of your money and the "bank" is only there to provide some convenience.
!!! Public derivation mean that the public masterkey can only serve to generate bitcoin addresses NOT private key! Each client software on the other hand keep the Private master key encrypted for Private derivation to spend their coins... Read this carefully: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki . It's like what electrum implement with their watch-only wallet.