I understand the issues listed, but some assumptions at the beginning are not really problems in practice. Or at least not of your alternative is a custom implementation.
> They haven't earned the right to run with privileges for my private keys and/or ability to frob the web server (as root!)
None of that is needed. You can setup the update system in isolation, redirect the required paths and copy the keys manually. None of that needs to run as root either if you can set the permissions correctly or delegate actions to other processes.
> They haven't earned the right to run with privileges for my private keys and/or ability to frob the web server (as root!)
None of that is needed. You can setup the update system in isolation, redirect the required paths and copy the keys manually. None of that needs to run as root either if you can set the permissions correctly or delegate actions to other processes.