Icecube JS based browser emails like Proton, Tuta, Posteo, etc. are not secure from a targeted guv attack. They can inject code into the JS in your browser and get your key. However, we all need email, and the ones I mentioned are better than the alternatives. Companies put ad trackers in the pixels of their corporate logo in an email to you. Proton blocks these. It helps and if you are not targeted by guv for a high level hack, having your emails encrypted at rest no matter who you email means Proton is not using them for ads. Use Signal or Session or your messenger choice e2e for high threat model. No useful metadata with Signal. The e2e emails have a fair bit of metadata.
As for OP, I just flashed my 6a to GOS for the first time a few months ago. Downloaded the Signal APK from their GitHub. No CAPTCHA.