In addition to what @gravitas@lem.ugh.im said, as long as any third party is involved in the handling of PII, there should be no expectation of privacy whatsoever. For instance, I use Mullvad VPN, but that is as much a political/ideological statement to me as it is but one countermeasure against malicious actors in a very complex cyber environment. I could go on about how Mullvad has proven over and over - through third party audits and through actual incident response - that they have zero data to hand over to the authorities. But I won’t, because that’s not the point here. The point is: if I was involved in something that made me interesting to the authorities in any capacity, putting my trust, privacy, security and life in the hands of one company would not be the way to go about it. Not even in Mullvad, which I otherwise use.

Good OpSec is not about relying on technical solutions. It’s about real-world threat modeling, assessment, having three backup plans and careful execution.

Is it morally questionable for Proton to cooperate with the authorities going after activists? Yes. Should there be any expectation of privacy and/or security from the end user’s point of view? No.

Manage your expectations and scheme accordingly.