They don't support subject encryption since that would break open pgp compatibility which is essential when mailing other providers.

You can generate your own private keys and import them. They need to be unencrypted when importing because they are re-encrypted with your protonmail account password so that they can be unencrypted automatically when you login. It is a convinience tradeoff so that the user does not need to worry about manually unlocking keys after login.

Both webclient and app are FOSS so this is just easily verifiable. The important thing is you can make sure they don't compromise or sweep your private keys.