Not that I know, which is the reason why I essentially didn’t consider those threats relevant for my personal threat model. However, it’s also possible it happened and it was never discovered. The point is that there are risks associated with having the same provider having access to both the emails (and the operations around them) and the keys/crypto operations.

The cost of stealthily compromising a secure email company is simply disproportionate compared to the gain from accessing my emails. Likewise, it’s unrealistic to think some sophisticated attacker would target me specifically to the point that they will discover and then compromise the specific tooling I am using to access/encrypt/decrypt emails. Also, a $5 wrench could probably achieve the same goal in a quicker and cheaper way.

If I were a Snowden-level person, I would probably consider that though, as it’s possible that the US government would try to coerce -say- Proton in serving bad JS code to user X. For most people I argue these are theoretical attacks that do not pose concrete risk.