OK - just answering my own question here, but I did a short research writeup on what I found:
Pro: Serious about UI/UX as a security issue. Seemlingly well-thought through and documented "threat-model based" architecture. 2-factor auth and interesting warrant canary program, though only every 6 months.
Con: While SO publishes the mobile app's source code, it's in a compressed "dump" meaning that a much narrower group of people likely interact with it or read through it for problems. And the desktop version's code is not published. As a result, not good at responding to or fixing vulnerabilities.
History: Published on vulnerabilities in related libraries, but not their own -- and they've had some which they didn't fix for months, despite being alerted.
Pro: User-friendly, open source client (not server, though a thorough set of guarantees and non-guarantees), regularly audited, fairly active development over past year (although quiet the past month). Free. $5k bug bounty program, 2-factor auth.
Con: Not many?
History: The resigned co-founder had been speaking about a theoretical different backdoor-ed version which would be sold to specific clients, not the standard version. No mention of vulnerabilities in their releases, which sounds a little too clean -- I'd prefer to hear that they found and fixed things. But their bug bounty program is a good thing.
Pro: Promising model with twitter-based verification, GUI coming soon. Cross platform, 10gb, open source with healthy active development.
Con: in alpha/beta, don't promise not to accidentally delete your data. Currently only command-line, so very limited usability and therefore lots of opportunities for misuse.
History: Good responses to UI-based attack vector reports -- resolved within 1 day. Active bug bounty program with recorded payouts and fixes within 1 day.
This is just my best understanding in an hour or so of research, and could change -- comments, other opinions, corrections welcome!
Also, yay: https://protonmail.com/blog/protonmail-open-source/