Yes, all web apps have the problem, and so it's not end-to-end.
No, It does NOT avoid middle attacks, since they can serve you phising info. Also there's some analysis of proton of your password at account creation to make sure you're not a bot. So if you have 90 random characters, its more likely to reject you as a spam bot, and not let you make an account. But if you have basic WORDS that aren't random like "carrot" it will. This means they are seeing the password, connected to the backend spam filter. That's not private at all. And the source on this is me. We may release an official paper on it, but for now I'm just making the statement.
It's your subjective opinion if the trade off is good, but it's far less secure than self-hosting. And a self-host VPS costs the same as a Proton Pro subscription.