Security is hardly a binary property.

Given you mention the specific technical setup, I would say yes - that is secure against most risks relevant for most people.

At least, it’s totally fine according to my own threat model, where I looked specifically at broswer-based encryption vs “manual” encryption (I.e. using PGP tools locally).

TBF, they push the same content via their email newsletter.

Tuta is great, I will start from that. But they encrypt the subject line, in addition to the body afaik. It is technically impossible to encrypt “every part of the email” because that would break delivery (e.g., metadata such as recipient or timestamps).

This also has the cost of a nonstandard protocol (not plain PGP), with all that implies in terms of compatibility, maintenance needs etc.

Since I have found it historically hard to engage on this (broader) subject around here, just yesterday I put together my own thoughts at https://loudwhisper.me/blog/proton-fediverse-burnout/

Personally, I did not see the value of their Mastodon presence, it was write only marketing communication, no engagement with the community anyway. That happened only ever on Reddit, which I think is going to continue being the case.

They push the same info via email newsletter, if someone really wants that stuff.

Either way, the post above covers my take on the whole drama, not just this last small chapter.

I also use porkbun, their API is not a masterpiece but it works and allows you to get, set and update records. In fact their API is now supported by some of the common ddns scripts out there.

Desec.io is a good option. To be honest using cloudflare just for DNS is completely OK. It’s not a service that allows spying on you or consolidates their monopoly.