[rurban]

Sure they see the plaintext version in flight from the router. That's where a warrant would install the TAP. Before it arrives the protonmail server, where it is encrypted and stored.

Outgoing mail similar, but there it can be encrypted, so the TAP would be directly at the server, before it is encrypted.

In contrast to gmail TAP's are installed by a warrant ordered by a judge and per customer only. With gmail warrants are not needed, data is just handed over, and search interfaces are available to any agency which wants it.