You can verify the apps, and web client via their GitHub repos. You can't verify that they're not scanning non PGP encrypted emails before they encrypt them with your proton PGP key. You can verify that proton-proton emails are end-to-end encrypted, and you can verify that PGP encrypted emails send and recieved through proton are e2ee. The flaws of proton are inherent in the shitty SMTP email protocol. Theres only so much you can do to provide "private" email in this worldwide oppressive legal environment.