You could run the mint code in a secure enclave where even the operator cannot change the code and spend bitcoin to a wrong address.

However at the very least he could plug out the server and "destroy" the private keys to the bitcoin.