For the football games, they turned on the encryption shortly after the game started. This created the expression "but en clair" ("unencrypted goal") where a team would score so early that the encryption was still off.
If you're thinking of a private actor, I think that once you have access to MBS phone, you run to Doha before attacking Bezos. Qatar would pay a ton of money for that access.
If you're thinking of a state actor except Saudi Arabia, I think there would be much easier and more discreet vectors to Jeff Bezos Whatsapp than MBS phone (literally almost any of Bezos other contacts would be less risky).
YMMV I guess.
I'm in France too and none of those points apply to my experience (except the monthly fee for the debit card and the snail mail for the new PIN).
I have not set foot in my physical branch in 10 years, and have not written a paper check since 2011.
"Your private key is encrypted with your password. This way your login password receives the status of the private key."
"Your password is never transmitted to the server in plain text. It is salted and then hashed with bcrypt locally on your device so that neither the server nor we have access to your password."
What's stopping them (or being commandeered) to serve you modified javascript which sends them your password, or this being done via an unsanitised email viewed via their web UI?
Having worked for two email companies for over 10 years, I know not trust email providers for privacy.
> What's stopping them (or being commandeered) to serve you modified javascript which sends them your password, or this being done via an unsanitised email viewed via their web UI?
Thinking about this more, the threat model here was an insider. This is something that Tutanota wouldn't be able to prevent with its advertised services given the same situation.