[trash_panda]

It isn't a matter of whether it's "secure" or not. The problem is that their security model is based around JavaScript code being pushed to your browser where all the "cryptography" will happen. Yes, maybe your e-mails are actually encrypted. But let's think that for example their servers get compromised, by exploiting whatever vulnerability they have, or even one of their employees gets phished. The attacker will be able to serve you a malicious JavaScript file and get your passphrase and decrypt all your e-mails.

This risk is real even in the hypothetical world were everyone uses ProtonMail, but in the real world you have a bigger risk: most people don't use ProtonMail and the risk of your e-mail being included/forwarded whatever to a "plaintext" service is really high.

I would recommend to avoid ProtonMail and other e-mail services that claim to be secure, and stick to end-to-end solutions like Signal/Wire/WhatsApp.