Are you trying to say that sending public keys over HTTPS is not secure somehow? Also, intercepting public keys could only harm privacy, but still, private keys are needed to spend it. Also, multiplying and dividing keys is enough to prove the ownership of some private key and share the public key at the same time. More than that: both private keys are needed (or both signatures signing some transaction chosen by the attacker). If only one would be compromised, then altering transaction by some third party is impossible.
I was thinking of delivery of private keys via email, which has horrendous privacy problems. But now that I think of it, there's a way to make private keys available in the browser without giving anyone else a chance to see it.
It involves creating a token for each user every time they buy a mining contract, similar to the session IDs that Chipmixer makes. These tokens have to be saved by the user because they are erased server-side. Typing this token gives you access to your corresponding private key for you to copy (operating system security and clipboard snooping et al still apply).
A bonus you get from this method is that when the user wants to cancel their service, they would delete this token which will also delete the private key, after one final transaction to move all mined bitcoins off to the user has been signed and broadcasted.