would it be possible to say: from this address ONLY transfers to another address are allowed?
the "other address" could be on a different server which rechecks if its a valid withdraw request.
that way the thief has to hack the database too and cannot compromise the the "other addresses"-privkey.
This doesn't do much. If address A can only be spent to address B then coins sent to address A are like coins sent to address B. The only difference is that if B is compromised and A is intact, the original owner can hold the coins ransom when negotiating with the thief.