Every mail provider can scan incoming unencrypted mail while in-traffic
Protonmail is one if the few providers that encrypts it at rest.
Email is shitty but it does not get better than that.
No, they don't keep private keys. You can generate one yourself and import it with a FOSS client. 

 If you use Protonmail your keys are in Protonmail and Protonmail owns them.

You can generate own keys locally, of course - you must generate them without password!!!! and you must upload them to Protonmail.