1. Email is not encrypted unless you use GPG/PGP.
2. Email is transferred not encrypted, so it's vulnerable to interception by 3rd party during transmission.
3. Any 3rd party service provider has your information, so it can be passed to marketers/NSA/RIAA/IRS/blackmailers/whatever.
The only way to get security with email is to encrypt everything with GPG. Most of the time that means using a proper email client with GPG support. However, there are javascript GPG implementations, like openpgpjs.org. I haven't heard about anyone using them to provide an integrated web-mail solution. On top of that, if you are using webmail + openpgpjs, where do you store your keys?
--Coder