Yet the source code still isn’t public. It’s been at “As we’re rolling it out gradually to ensure a bug free experience, source code will be available at a later time on our GitHub repo.” for the last 2 months. Later time probably means in a year at this point.

In a way, yes. The more things that have your credentials the greater the attack surface. However the code is open source, you could inspect it and build it from source if you’d like to. Additionally if you use a mailbox password then the app won’t be able to read email content as the mailbox password is used to decrypt the actual content while the main password is for accessing the account. The app doesn’t need your mailbox password for its functionality so it can’t decrypt email content (except the header which is not encrypted by PGP).

Yes I have been using this for a year now and it works great. You can customise the poll duration (how long it waits before checking for new emails) and the notifications have quick actions like mark as read and trash.

Only the APK is on GitHub, source code is still from the previous release. They say it will be “available at a later time” but knowing Proton that could take a while.