I don't want to over complicate all the sets of private keys that an account can have but I was wondering if it would be possible to have an account that has permission to make market transactions but can not make withdrawals from an account.
This will not help, and very easy to bypass, attacker can just buy some stupid assets at high price from yourself using your BTS, etc.
PS: It's already was happened for some centralized exchanges where attacker get access to account without withdraw permissions.