The private key is encrypted using your mailbox password (a 2nd password, not the login password) and that is not stored on their servers. So they only store and pass the private key encrypted.
So it should be secure enough but for sure, the implementation is still not perfect at all, especially if you want to communicate with non-protonmail users.
> So they only store and pass the private key encrypted.
I remember I was able to get key passed through the network in the not encrypted form, I was looking into the network tab of the browser's dev console. When you do login look at the response of the https://mail.protonmail.com/api/auth POST query.
So it should be secure enough but for sure, the implementation is still not perfect at all, especially if you want to communicate with non-protonmail users.