Paypal is scum, yadda yadda yadda. Not arguing that. In this situation, though, they might be doing the world a favor.
What this project is doing, looks like some kind of snakeoil thing. GPG and webmail? How can than possibly not be (putting it meanly) stupid and broken or (putting it nicely) a technological step backwards from 1990s email security tech?
If the server is sending plaintext to the relatively "OpenPGP-stupid" web browser, and assuming plenty of people will be hosting on VPSes not under their physical control, then the private keys are going to be extremely vulnerable. If the server is sending the ciphertext, then it must also be sending "gpg-written-in-javascript" to the browser, so that the browser can work with openpgp data, so that will be the attack point.
There's just no way webmail will be securable, until either:
1) browsers come with built in OpenPGP support, or make shell calls to GPG to do it, or something like that. And if that ever happens, then you might as well just add IMAP support to the browser too, and maybe call the browser "Navigator" instead of "Firefox." There's no reason to use webmail if you have a browser that capable.
or 2) people really self-host; i.e. you're going to trust the server to have your private keys, so it's at home, or better yet, the server is in your pocket (and is probably the same machine you're running the web browser on, once again raising the "why webmail?" question), not in some datacenter.
There are already tons of very capable email clients that have excellent GPG integration, and it sure as hell doesn't anywhere near a hundred thousand dollars to get them. Use one of them instead of some webmail horseshit, and fund whatever improvements you want. Not only will you get something vastly more secure, it'll be cheaper too.
I don't really like being a negative nellie asshole on this one. The mailpile team strikes me as not-stupid people with good intentions. That makes it all the more mystifying that they would try to get webmail to work; they're got to already know that the idea itself is flawed, no matter how good a job they do on it. But then I thought the same thing about Silent Circle, another obviously-dumb idea who anyone could see was vulnerable to server coercion. (and lavabit too, though I didn't even know they existed until they didn't exist.) Silent Circle was particularly disappointing, given who was behind it.
I'm not saying the classical (but secure!!) approach doesn't have difficulties for novice users, but anyone who tries to handwave those problems away by relying on trusting servers, should not be considered to be really working on the problem.