Cannot understand supposed ProtonMail vulnerability from wired.com article

This is mostly a guess on what they mean:

Well, Public key schemes need the trusted third party. In this case ProtonMail is assumed to be the third party, who - the first time Alice and Bob communicate - give Alice a public key owned by themselves. When Alice then send mails to Bob ProtonMail decrypts the mail and encrypts it with Bob's key, but keeps the unencrypted mail for themselves. So as the article states:

ProtonMail does allow you to export your public key and send it to another person, but you can’t easily confirm whether your ProtonMail messages are being sent to the same key. It would take serious tech chops to verify the key.

You could send the public key to the recipient beforehand, but they then must trust that it is you sending it.