You're right. Before any integration of a server-side PGP key like this, they ought to have deployed some basic hygiene like a strict Content Security Policy (CSP) and a better sanitization library like HTMLpurifier. I don't trust webmail software, and definitely not PHP webmail software, to hold my keys for me otherwise.
