Encryption is based on computers holding a "key," which they use to encrypt/decrypt data. So suppose 2 friends, Bob and Sue, send email to you. Bob would encrypt his email with his key, and then it's sent through ProtonMail and on to you. How would you possibly read it, unless, either:
- You had the same key as Bob, or
- Bob had his own key, and ProtonMail was translating from one to the other, by decrypting the mail Bob sent, then encrypting it with your key to pass on to you.
(Technical note: Often there's a keypair, rather than a simple key, but it doesn't change the problems discussed here.)
So let's explore scenario 1, which sounds OK when it's just you and Bob. Now you email Sue. In order for her to read your email, the 2 of you need to have the same key once again. If we continue to expand your number of friends, we find everyone on ProtonMail has to use the same key in Scenario 1. In Scenario 1, it only takes one person's mail being compromised to compromise everyone's email on all computers. Scenario 1, not so secure.
In Scenario 2, the ProtonMail service itself has to decrypt everyone's emails that pass through it and re-encrypt them in the recipient's key and pass it along. That means everyone has separate keys, but ProtonMail has everyone's keys, and so they're available to hackers and legal orders. They're even available to ProtonMail to sell the contents of to the highest-bidder if they so-choose.
It's possible that every connection you make generates a new set of keys, and ProtonMail helps the 2 of you connect, but then gets out of the transaction, allowing you to work out what your set of keys will be amongst yourselves - never touching the ProtonMail servers as you do. But they never describe such a process anywhere on their site or in the press they've been getting, so I'm really going out on a limb offering that third scenario.
Or is there something I'm not seeing here?