Supposedly lavabit.com is (from the admin perspective) about as close to zero knowledge as it gets. Logs are kept for a minimum to diagnose abuse/performance issues, and crypto keys are strictly between the user and server. As I understand it, the only legal compromise would be a national security letter style gag order to alter the binary that interfaces the client (be it Outlook, your phone, or the web-mail host) to the back-end data store, which is stored encrypted on disk.
Security flaws are another thing entirely. I have no idea if anyone, aside from internal developers, has vetted the system for flaws that typically result in server compromises.
I was a satisfied free user some years ago, and the above was my understanding of the service after a few pointed queries to the support address.
The main difference being that the modification was code sent to, and then executed by, the end-user's browser in the form of a Java applet.
I personally believe that Lavabit (a tiny company composed of a few dedicated folks) would rather shut down service than do something as underhanded as what Hushmail did.
In either case, the end user is relying on a proprietary system/company to fight the good fight for them, which is foolhardy if your well being is on the line. Those in need of strong privacy would probably use PGP+tor for communication anyway.
You said '(be it Outlook, your phone, or the web-mail host)'. I was just providing a relevant historical example to support your point. (Lavabit does have a webmail interface.)
FWIW, the Hushmail ex-CEO seems to strongly agree with you on both the ethics point and the need for users to take blind trust out of the security equation.
---
So I've just gone to the Lavabit site and it looks like that they store your private key on the server.[1] That doesn't strike me as being more secure than Malone's idea of externally-audited client-side crypto. But then, as you say, you've arrived at PGPGPG.
The fact, then, that Zimmerman was involved with the company so early on and they still fucked it up just goes to show that faith in the efforts of 'a few dedicated folks' doesn't get you very far.
Security flaws are another thing entirely. I have no idea if anyone, aside from internal developers, has vetted the system for flaws that typically result in server compromises.
I was a satisfied free user some years ago, and the above was my understanding of the service after a few pointed queries to the support address.