No OP, perhaps one could think they make such a big thing about security to try to attract lucrative accounts, which they then have backdoors into.
As you can't verify their claims, all you can do is trust. If you want end-to-end encryption you should be gpg encrypting every mail, not relying on the unverifiable word on a provider. Any provider worth its salt will know that, thus wouldn't actually advertise an insecure (as verify can't be done) system as a secure one.
You don't have to trust any of their server code - you only have to trust that the JavaScript blob they send you is actually the same as the open source version. This is the same threat model as trusting Signal from the App store instead of side-loading it yourself.
As has been frequently pointed out, they could choose one account and serve that account a different webpage just once, and harvest their password in order to decrypt all their email in perpetuity. This would be a trivial change that would certainly go unnoticed.
I fail to see how this is any worse than any of their competition, which does server side encryption. At least with ProtonMail there is the chance of them being caught serving backdoored client-side pages - with server-side you would never know.
I feel like the hate is a case of people thinking not being perfect is worse than being average or bad.
If protonmail is billed as a pgp replacement, then people will think it is reasonable to use protonmail's encryption instead of 'offline' encryption, when that's not the case at all.
As you can't verify their claims, all you can do is trust. If you want end-to-end encryption you should be gpg encrypting every mail, not relying on the unverifiable word on a provider. Any provider worth its salt will know that, thus wouldn't actually advertise an insecure (as verify can't be done) system as a secure one.