They use XMPP and they allow connections from outside their network. ... In most ways they are way ahead of the competition.
How gracious of them!
No, that is old model. Yet how ahead and gracious are the punks? imap4[s only], submission[starttls only], transport smtp[s preferred, and fixed keyed amongst peers], nothing asked for but username and password, allow connections from anywhere including Tor, simple documentation for the user (thunderbird, mutt, outlook, openpgp, enigmail, ...) The demand for these things is very high right now. You don't need to offer webmail. The setup is not hard. There could be 30 new mail providers running around the globe in three months. All of them teaching the user how to encrypt, exactly where it belongs. And that's just for simple mail, a big win, even without resorting to more exotic http://prism-break.org/ systems.
This matter is very relevant to me. I believe if somebody is saying "we offer encryption", the encryption should be actually, you know, protecting the data. ... No. Google SHOULD provide safe, privacy-aware services and encryption that actually truly protects the data, or at least not claim to do so
Unless it is the user who keeps and manages their own keys, no service with any 'offer of encryption that actually protects' can ever be true. Services are classed by who manages the keys. Any service that manages keys on behalf of the user and claims to offer protection is nothing more than a false marketing SCAM. Unfortunately, people keep buying the bullshit. Offering at least a little less bullshit can also make you rich (leastauthority.com, rsync.net, etc).