I've DDed with this vendor one time so far and everything went super smooth. Got my product quick and had great stealth. We used PGP back and forth to set up the first DD in every bit of communication we had. Now I emailed again about a week later to get another DD going "using PGP" and I get this reply. "Hmm are you okay with using protonmail's encryption? I just send you an email that's password protected. Once you click it, all further correspondences in that thread are encrypted." I'm not really sure what to think about this or even how safe it is. Any suggestions guys?
Never trust on-site auto-encrypt features or any other 3rd party encryption service to keep you safe. If they are compromised or a honeypot, there is nothing stopping them from saving everything you type in cleartext before it gets encrypted and sent. Always do your own encryption using software running on your own local machine - this is the only way to guarantee the security and integrity of a message.