Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist.

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.