Yep, the issue is that the server stores the messages centrally in plaintext, and most email users nowadays assume that the server always has a copy. That’s why we have PGP and ring-of-trust, and why there used to be a lot of push to use that with especially E-mail. Especially with the preparation to post-quantum era, any communication you actually want to stay secret should be encrypted with (symmetric) keys you exchange in person. That way there’s no log or key exchange that someone can see or store, and thus break in the future.

Unfortunately people in general deemed the centralized solutions “good enough”, and for “more secure” contexts we got the abysmally horrible solutions like Secure Mail. PGP’s problem was, that the trust needed to be established in a distributed manner outside normal communication which the layperson found confusing. It also was problematic in corporate contexts, as proper client-side encryption meant that the company could no longer scan through employee messages.

It’s still the best way to make e-mail safe, though.