yeah you wouldnt think they would risk bad rep for the exchange for and loose all the trade fees just to steal some pocket change compared to fee revenue.
Maybe they go a bit more complex process to access the keys,  tsuch as tight securty measures could make it not so simple to (the coin privkeys would would hopefuly be locked down well, maybe the manual operation he'd need to perfor actual means travel to the server for local console access, or travel to location of ssh login key for coinadmin account. Send him a reminder  every week or whatever so he won't forget it, and hope he'll recover them when i gets the chance.... or adds your email to spamfilter/