I have been off and on with a Protonmail since it started but found the lack of features a turnoff but they have recently improved their services and I’m looking at them again, but was wondering if they are really much more secure and private than iCloud with Advanced Data Protection and website access turned off.
Sorry for the run-on sentence. 
One method of sending a secure email requires special software on both the sender and recipient computers, and a prior exchange of public keys. Another method keeps the secure email on the sender’s server and only sends a link to the recipient. The recipient then logs into the sender’s server to read the decrypted message.
Both methods are very secure. And neither will protect a regular email that your grandmother sent you last Tuesday or a message that you send to that old friend from school.
In their ADP announcement Apple stated “The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.”
No regular email service can protect a travel itinerary we received from the airlines or the messages that we send because we have no control over the copies of those messages that exist on other computers and services. The same is true even if you operate your own email server.
It’s no more or less secure. Mail is not covered by Advanced Data Protection - so the only real question here is whether or not iCloud.com access to email (web access on) represents an increase in risk. It doesn’t in practical terms - if someone has access to your iCloud credentials they have access to your data. Advanced Data Protection isn’t designed to secure your account against this kind of access.
Advanced Data Protection only really secures you against state action (a police request), or the very unlikely scenario that Apple itself suffers a data breach. ADP prevents Apple from being able to access your data so they can’t be compelled to provide it to another party.
Also, even with Web Access turned on - a potential attacker still needs to be able to unlock one of your trusted devices in order to access anything that is covered by ADP. This doesn’t include mail - I’m just mentioning it for completeness.
It depends on your definition of ‘secure.’ As others have mentioned, Apple’s ADP does not cover mail, contacts, and calendars which means Apple can access that data on their servers with ADP enabled. With Proton that same data (email, contacts, and calendars) is encrypted on their systems and the company cannot access that data.
Proton uses PGP for sending and receiving encrypted email messages so it is possible to correspond with encrypted messages with a non-Proton email user, it’s just easier to do so with another Proton user.