This was already happening, unfortunately. The user's mail agent is deemed untrustworthy (and so is the user), so every service which needs to send confidential data just turns your email into a notification with a link. There are so many of these, but often they are limited in scope. For sectors like healthcare you have companies offering this type of service to companies which need to adhere to security theatre standards such as ISO 27001, and because nations often have their own added requirements for specific sectors (think HIPAA in the US or NEN 7510 in the Netherlands) these services tend to remain focussed on single countries.

Then there are the national governments and things like insurance companies. All happily sending message notifications where you need to sign in to their own portals.

Securing email is too complex, so everyone builds their own secured portal thingy, and your mailbox has become a receptacle for notifications. Figuring out a solution would require cooperation, pragmatic lawmaking, and giving up those nice cashcows of moated portals, so it won't happen.

This is how all HIPAA "secure email" works. Outlook, Zoho, clinic comms, BECAUSE it lets you revoke email access.

If you want an opportunity in this space, it isn't actually encrypted emails, but possibly standardizing and streamlining such "message pointers" and address endpoint verification.

Isn't this how banks send secure messages too? You can't send secure emails to arbitrary clients otherwise. PGP stands no chance of being adopted by regular users.

Doesn’t proton mail also do this for sending encrypted mail to folks with no encryption?

They ought to do pgp though

Can’t expect a civilian to manage pgp keys or go to key signing parties

I think one of the growing threats lately in the community has been over malicious client-side javascript, especially when the client handles end-to-end encrypted content (used on sites like Proton, MEGA etc.), so requiring users to trust Google with the contents of these client pages, and by extension the emails themselves, seems (in my opinion) to defeat the entire point of this feature.

Some work in this area has been done in the form of browser extensions that are used to verify signed assets delivered to the client:

https://github.com/freedomofpress/webcat

https://github.com/tasn/webext-signed-pages

https://github.com/jahed/webverify

https://github.com/facebookincubator/meta-code-verify

But unfortunately for now, none of these are seeing wide adoption and this remains an unsolved issue. It also does not require anyone to use known-good, audited and verified open-source components, meaning even if the client code is signed, it can still be malicious... there must be a greater reason to trust the code than just "trust me bro".