It is very possible for them to inject custom JS to a specific user.

You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?

No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.

This is true for all companies who control the client.

Trusting them is almost guaranteed, but it doesn't have to be, sort of. The clients are opensource so you literally clone, audit, and run the clients locally.

Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.

Or just use an open source email client.

I would expect their own apps to be open source, are they not?