I don't understand, are you generally concerned that Mailpile's web JS can search emails, and therefore has access to private user keys/certificates? I mean, doesn't that just come to whether or not you trust the javascript that Mailpile is writing? I don't think this any less secure than say Thunderbird with respect to PGP/SMIME.