you don't. you're not handing over the private keys. you sign the transaction locally, and give them to the third party to broadcast in case you're not online. it can even be multiple third parties so you're not trusting a single one. this provides better reliability than broadcasting it yourself on your home/vps/colo connection.
If you're dealing with amounts so large that you can't trust [large number] of independent third parties, you can always fall back to on-chain. but you've got to be pretty paranoid to think that starbucks is going to collude with [large number] of independent third parties to steal your $100 coffee deposit.