Good question, but one with no influence on whether I trust protonmail. The threat model is different: Openssl is so widely deployed that all is lost for me if it's broken. I'd assume protonmail uses it for it's SSL connections (the webserver pretends to be an apache). If there's an exploit, the attacker can at any time MITM my connection to protonmail and at his discretion inject javascript that captures my decryption password or message.