Thank you. 

The paper focuses on the fact that when using webmail the Proton server could serve you a malicious client-side code and steal or misuse your key. But all web apps have that problem. 

Since Proton has implemented their "one-password" login, the PGP key is on the server, encrypted using your password salted+hashed. That means Proton could try to bruteforce it. But it also means man in the middle attacks are avoided.

I would call them tradeoffs, but I wouldn't say their implementation is fundamentally flawed or insecure.