Currently, when a Proton Mail user sends a password-protected encrypted message to a non-Proton recipient via a secure link, the recipient can reply securely via the encrypted message portal. However, if the Proton user then replies using the normal “Reply” function, the response is sent unencrypted by default — even though the conversation previously contained encrypted messages.

This creates a significant risk of accidental data exposure, as both the reply and the entire email history may be sent unencrypted without the user realizing it.

I understand this is a deliberate design decision, but I strongly believe there should be an optional safeguard, for example:

• An option to always use the lock (encrypted message portal) in threads that previously contained encrypted messages, or

• A confirmation dialog before sending, such as:
  “This message will be sent unencrypted. Are you sure?”

This would greatly reduce accidental leaks while preserving current behavior for users who prefer it.