They claim to use zero access encryption, meaning you hold the key client side. I presume it’s generated somehow from, your username and password. If everything is hashed properly, meaning Proton isn’t deliberately just lying, then the contents of your email box are fairly secure. If they were to hand your email box to the government it should be not much they could do.

I don’t think they’ve ever claimed to be defiant of legal requests, and they sort of have to have your username to be able to service email accounts at all. Swiss privacy law is still better than a lot of places. I’m not sure I really want a defiant of the law email provider as they will just get shut down entirely.

If you’re doing highly illegal activity, just using a secure email shouldn’t even be close to the opsec standard. Keys should only be held in the brains of the user and encrypted/decrypted with offline tools. If you just want above average security and not having your email catalogued and sold to AI models, IMO Proton is sufficient.