It is generally very bad practice to wait for user input inside a transaction. But the scenario you lay out would be a worst-case. Not only would you have to wait for user input within the transaction, you would also have to allow dirty reads. As you point out, this is a recipie for disaster both from a performance as well as a security standpoint. I would say that any developer and/or DBA that wrote an application that badly should most certainly be fired, no questions asked.
Without knowing all the details, I would say that the temp table would mitigate the security risk somewhat, but poorly concieved transactions are the root problem and it doesn't help at all with that.
/*****************
If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek
*****************/