I was thinking of delivery of private keys via email, which has horrendous privacy problems. But now that I think of it, there's a way to make private keys available in the browser without giving anyone else a chance to see it.
It involves creating a token for each user every time they buy a mining contract, similar to the session IDs that Chipmixer makes. These tokens have to be saved by the user because they are erased server-side. Typing this token gives you access to your corresponding private key for you to copy (operating system security and clipboard snooping et al still apply).
A bonus you get from this method is that when the user wants to cancel their service, they would delete this token which will also delete the private key, after one final transaction to move all mined bitcoins off to the user has been signed and broadcasted.
That doesn't solve anything, the company has to always have access to the funds and be able to move them (we assume they are a legitimate business and have to buy equipment, pay for maintenance, pay the bills, etc). So the coins can't be locked in a single key and stay there, they have to move. The company can't also give access to their whole balance to random users! If the company turns malicious they can also empty the key before the user by storing the key and lying about discarding it.