Sure, makes sense. Hmm..
One approach would be to 1) keep the above Remediation option normal until you're ready to deploy the Adobe Reader DC patches, 2) change Remediation to "only when logged out", 3) create the software update policy for ARDC, then 4) change Remediation back (and don't modify existing policies).
Of course it might end up being easier to do all this via a Managed Software Delivery, though you said you hoped not to. People do like the granular control of the MSD approach for this type of patching weirdness, which doesn't crop up that often but is complicated to deal with.
Another approach you might consider: you could schedule a task to logoff the VIP user prior to the software update cycle running. If there's a chance this user would agree to a particular time for updates -- having had such problems recently, maybe he will? -- that might be your answer. The power control - logoff task could push from the NS as a normal Task, or kick off locally like a policy (via "Client Task Schedule" on the Tasks page) depending on how reliably that machine is connected to your network. You could even apply a Maintenance Window policy to his machine, to enforce that the logoff and the updates wouldn't happen outside of specified times.
Other folks may have other suggestions. These were what I could think of. Please let us know what ends up working for you!