Every mail provider can scan incoming unencrypted mail while in-traffic
Protonmail is one if the few providers that encrypts it at rest.
Email is shitty but it does not get better than that.
No, they don't keep private keys. You can generate one yourself and import it with a FOSS client.