Tutanota open sourced their client. You could use the source and run your own version of the Tutanota client if that's your threat model. It's true the email provider could serve different users different versions of the app and there is no possible way to audit it in real time

A standalone app can give at least some distance and pinnable code. And a bit more if served up from a "neutral" third party like github, f-droid, or allowing tor or vpn to get it in some masked user fashion.

2) You are running unknown code every day. Do you trust the vendors?

Probably not wise until the world changes some more towards those hashtags. Shall we add #SharedAudit .

It's unfair [...] They're trying to solve a complicated problem, inside a web browser, with no easy solution :-/

Yes of course, they're at least trying something new, that's important, so kudos.

It's unfair [...] to call [out] encrypted email providers

But is it... just look at most of their own front page advertising statements that often go like... "Secure Encrypted Email in your Browser" Without weasel words, those statements can end up being fake. Does what net benefit the service may have for [most] users offset potential damage arising from such statements? There's a bunch of front page statements here too that also have more holes than a block of Swiss Cheese... https://www.torproject.org/ Who is parsing and calling them out, and or proffering page updates that use suitably accurate weasel words?

inside a web browser, with no easy solution :-/

If the world is still stupidly insisting on the derelict spy exploited relic of SMTP transport, instead of say fully encrypted P2P overlay transports with legacy SMTP / POP / IMAP frontends for the old timey feels, they should at least be directly extending browser functionality to load and exec user selected third party provided and fourth party audited message crypting code modules from local disk. Or should be using actual properly stood at a distance tools like GPG, Enigmail, Mailpile, NeoMutt, whatever, while replacement distributed P2P messaging and storage systems gain marketshare. If user can locally compile and use Tutanota from Github with no blobs, that's interesting, perhaps consider dropping them some coin if so.