you still cannot verify that that’s the code running on their servers
This is why end-to-end encryption is paramount. You could be using Gmail as your provider for all I care as long as your messages are GPG-encrypted. Even if you trust the server-side completely (e.g. self-hosted), it’s still better to encrypt wherever possible, since it reduces attack surface.
This is why end-to-end encryption is paramount. You could be using Gmail as your provider for all I care as long as your messages are GPG-encrypted. Even if you trust the server-side completely (e.g. self-hosted), it’s still better to encrypt wherever possible, since it reduces attack surface.