It’s obviously not impossible, but you’ll find people calling every single private messaging platform honeypots. I don’t recall seeing any convincing proof for Tuta, personally.

Nobody knows. They’ve existed for a while, I haven’t heard anything of such claims.

If you want to absolute be safe, only download open source clients complied by yourself (and hope that somebody is constantly looking through the source code for potential backdoors). F-Droid comiles the source for you for the Android client. Encryption is done on the client before sent to servers.

However, if Tuta were secretly evil, they could log IPs and know the email addresses you send/receive to/from. Anything in plaintext will be seen, and you are only relying on their promise to not keep a copy of it. And btw, most of your incoming emails from banks / other websites would be in plaintext, so they could theoreticallt store a plain text version before they encrypt and store it in your mailbox.

But even then, all encrypted emails are safe even if Tuta were a honeypot (which you could never know for sure.

Technically, Proton is the same category, if you compile your clients (and someone constantly checks the code for potential backdoors), then its still safe. People are only pre-emptively moving because they don’t feel safe with Proton due to the CEOs comments, and Tuta has never made such political comments.

Tuta has already been through some cases linked to German court orders to decrypt emails received in the inbox of alleged criminals, just like any other company that is subject to the legislation of its respective country (I don’t know the difference with Proton, which until now I only found out about the delivery of IPs, not the content of the emails themselves, based on Swiss court orders), but I don’t believe it is a honeypot because Tuta has clarified the entire issue and still has credibility in the privacy community.