Imagine putting a giant backdoor into your program and telling people it was secure
(this is a response to all JavaScript browser-based crypto libraries)
You're right, if ProtonMail alters javascript in the webclient, you they could intercept your password and decrypt the contents of your email. However, with that logic no service is safe. Hence, ProtonMail state that if you're the next Snowden, you shouldn't be using ProtonMail. Frankly, if you are that concerned you shoudln't use email. ProtonMail is recommened because they fit our criteria.
Disclosure: I'm also a team member.
For those looking, here is were ProtonMail made their statement:
https://protonmail.com/blog/protonmail-threat-model/
And here is a link to a video that covers the the Javascript claims.
