I am not clear what you want to do. As far I understand the questions is how users can hold my custom asset and XLM on the same account. In that case, here's one way how to do that
You already do auth_required and auth_revocable, let's keep that.
whenever a user signs up to you, create account and setup trusts for him as before.
on top of that, change their signer to your own "Client support" seed. In this case, user doesn't necessary is aware of Stellar and you don't have to juggle thousands of seeds yourself.
whenever user wishes to "upgrade", ask him to generate a seed and change the signer of user account to user's seed. Now, user can use his account directly, including to hold XLM and other assets on it. Whenever he misbehaves, you have your auth_revocable flag.
Unfortunately some (idk, maybe all?) Stellar wallets do not support mismatching accountId and seed pairs yet. But stellar SDKs do, so it should come to wallets whenever a need arises.