Proton doesn’t use IMAP. Your inbox isn’t quite like other internet mailboxes. You can’t access it with TLS. You access it via normal TCP/IP traffic. The contents are encrypted and can only be decrypted on your device. This is why IMAP doesn’t work. The Bridge acts as a Proton client, decrypts the data and then acts as a local IMAP server so you can connect to it via another IMAP client. Proton cannot read your email at any other time other than ephemerally at the moment it receives the email, which it then encrypts one way into your inbox. It cannot decrypt it. Only your devices can. Your devices get the private key from Proton’s servers, but they’re encrypted with your account password. So you grab the encrypted key and decrypt it locally on your device. It’s not the most secure, but it’s the most secure you can do without having to manage your own keys. It should be noted that you can possibly lose access to your email. This would require losing access to your physical devices and losing your password at the same time. As long as you have a device that has your key, you can restore access to your account which allows it to update the encryption on the key, etc. If you lose your physical devices and lose your password, you can only restore access to your account, but not any of your email up until that point.