One productive way of thinking about whether and how much to trust ProtonMail is to consider the real-world example of Lavabit. The two services are identical in purpose: to provide free, secure and optionally anonymous email.
Lavabit had all the same vulnerabilities as ProtonMail, plus additional ones: Lavabit didn't have PM's in-browser encryption, plus it was of course based in the U.S., which was eventually its downfall. Even so, Edward Snowden trusted it enough to use it to contact activists and lawyers for a press event.
You can look at that two ways of course. Ed Snowden's implicit endorsement of Lavabit might go a long way towards validating the use of third-party secure email services. Or you could say that using Lavabit ultimately didn't help him in the end -- look what happened: Snowden's Lavabit email address was leaked and the service was shut down as a result.