Perhaps something with multi-signature addresses. If you require 2 signatures to spend a balance, but just 1 to mine with it then you may have additional security.
If the pool operator's signature is required to spend your balance, doesn't that mean you can't get your balance back if the pool operator disappears?
If you're considering this idea, I'm pretty sure you'll wind up exactly where I suggested -- having a way to sign over the authority to mine with your balance, but not to spend it.
Exactly, if you use multisig for this, people can have full control of their own wallets, but send a copy of one key to the pool operator to mine for them. It's possible most people wouldn't care who mined for them, and would thus make their "mining key" basically public, potentially undermining POS.
If mining income could be directed to an address other than the mining address, that would force people to care who mined for them, but then it seems like you might as well just allow full multiple input multiple output mining transactions.