When Protonmail says “An attacker without access to your secret key should not be able to modify your message without detection,” it’s a bit rich because Protonmail themselves are one possible (and most likely) threat. They can simply push malicious javascript when you login and your browser will automatically trust it. Until they fix that “Modern authenticated (AEAD) encryption” is just security theatre.
It’s a money problem. The fix to get everyone using a open source bridge, but Protonmail wants to sell you their bridge not support a free one like Hydroxide.