Well, an exchange like this already exists: https://bitalo.com/why_bitalo/


First off: All Bitalo wallets are P2SH 2-of-2 multisignature wallets. One key belongs to the user (we never see it), the other one belongs to Bitalo (user never sees it). Now to tackle the problems above:

1) Bitalo, its employees or even server providers cannot move Bitcoins, because they only have one of two keys required for signing a spending transaction
2) A backup "lock time" transaction is signed after every wallet action, so even if Bitalo loses the keys, after "lock time" expires you can claim your Bitcoins (note that this is a feature that we're testing and not deployed yet, but will do very soon)
3) See no. 1. Attacker can only steal one of two private keys required to sign a transaction. To successfully steal Bitcoin an attacker would need to compromise *both* our servers and user's computer to steal both keys. Even then he can only steal from this one specific user, not all of them.

So what you end up is a wallet which you can inspect personally at any given time to see that you Bitcoins are still intact. You can just fire your favorite blockchain explorer, or even a watch-only desktop client and check it!

Oh, and you don't have to take my word for it. Just go to the site and inspect the code. Or ask someone to do so if you don't have the knowledge. The javascript code that creates and signs transactions is open, uncompressed, ready to be inspected.

And if that doesn't sound any trustworthy, you can actually look-up "Bitalo Aktiengesellschaft" to see that we are a real company registered in Germany as AG (like Inc. in the US) with 75.000 EUR founding capital, so we're definately won't risk doing anything stupid.