I don’t know much about protonmail and tutanota, since I don’t like that you need your contacts to also use the same provider in order to have the easy encryption they offer (so no federation), and it’s not much different than using any email provider and an email client which uses GPG encryption, or PGP encryptions for that matter (I prefer GPG), given the provider is not one of the giants, and not based in the 5 eyes or extended 5 eyes (in this case that really counts, given most of the email one receives is NOT encrypted, since not everyone uses GPG/PGP encryption). Enigmail used to have an option to full encrypt (included subjects) emails on Thunderbird, and I think the new Thunderbird encryption does the same (just that it doesn’t use GPG anymore, and other subtleties).

If not self hosting (as mentioned by others, keeping your service and host secure and safe when opening it to the internet is hard to accomplish), using /e/ email service might be an option, as long as you encrypt as much as you can what you must. But even encrypted emails are not as secure and private as messengers designed for that purpose. So I wouldn’t use email for confidential or personal stuff, or use it as little as possible, and GPG encrypting of course. And if going the GPG route, you should use ed25519 (elyptic curves) keys, same way those are the recommended ones for ssh keys, but the problem is that nothing forces your contacts to do the same, and they might use weaker keys…