You wrote before that you don't want to give the user control of the address, so private key generation must be completely out of their hands. I don't understand the point of giving the user the ability to determine the level of your security.
Maybe 2-of-3 multisig is the approach you are looking for. You have 2 keys so you have complete control, and the user has 1 key so they can spend with your approval.
Sounds good, but how do crypto casinos work today? If I have your username and password and log in, can I withdraw your funds? I am almost certain I can, but I don't really use gambling sites anymore, that's why I ask.