You are absolutely correct, with some caveats. Browser client can generate keys on clientside and allow to offload them as a file to be used on other devices. Our own web XMPP client does that. But Protonmail does not work like this.
Verification is very simple: if you log in on a new device and see all your content while using only login and password to authenticate yourself, then the content stored on a server is NOT encrypted and is readable by server owner.
> if you log in on a new device and see all your content while using only login and password to authenticate yourself
What about if the encryption key is derived from your password? This is common enough for "encrypt file with a password" services, I've personally implemented it in-browser as part of a small project.
Now, having your account password be the same as the email decryption password is also probably a bad idea, but we're far from the server owner being able to read your emails.
Verification is very simple: if you log in on a new device and see all your content while using only login and password to authenticate yourself, then the content stored on a server is NOT encrypted and is readable by server owner.