First of all, Protonmail is creating their private key on their end and then giving it to you. And the purpose of this encryption is to protect you from them. So that’s a conflict of interest. And what does end-to-end encryption even mean if it’s not on your device?
You can audit the code served in the browser yeah (which can change at every page refresh), but you have no real way to audit their cloud backend or database to know if they even use this key in the ways they claim. Proton’s mobile app is far better than a web browser, but if they are so secure, then what are they handing over to the 3000 government data inquiries a year that’s growing?