Which is absurd. ProtonMail can easily access your emails if they want to and spend the tiniest of efforts. Fundamentally, you read your emails by decrypting them with a private key. That key is (supposedly) unlocked via your password. They already have the locked private key - they store it for you. All they need to do is also store your password (or a hash of it, if they do that first) - like when you type it into their websites every time you log in. They don't even have to put this functionality in JS, they can just intercept requests in their back end and clip out the password / the hash of it.
ProtonMail is a third party to which you have to give credentials and you are trusting them to not do these things and "trust me bro" is generally bad security.
A properly secure version would require the use of an open source native client whose releases are signed and verifiable. The client would fetch emails (better hope the senders use encryption) and you would unlock them with a private key that ProtonMail has never and will never see. ProtonMail claims to do something like this in your browser but cannot make such ironclad guarantees about signed releases, thus ensuring that any snooping code would be revealed and noticed by others as part of any release.
Which is absurd. ProtonMail can easily access your emails if they want to and spend the tiniest of efforts. Fundamentally, you read your emails by decrypting them with a private key. That key is (supposedly) unlocked via your password. They already have the locked private key - they store it for you. All they need to do is also store your password (or a hash of it, if they do that first) - like when you type it into their websites every time you log in. They don't even have to put this functionality in JS, they can just intercept requests in their back end and clip out the password / the hash of it.
ProtonMail is a third party to which you have to give credentials and you are trusting them to not do these things and "trust me bro" is generally bad security.
A properly secure version would require the use of an open source native client whose releases are signed and verifiable. The client would fetch emails (better hope the senders use encryption) and you would unlock them with a private key that ProtonMail has never and will never see. ProtonMail claims to do something like this in your browser but cannot make such ironclad guarantees about signed releases, thus ensuring that any snooping code would be revealed and noticed by others as part of any release.