While the security granted by this may be imperfect, "no real security" seems like a bit of a stretch. This eliminates the main pathways by which governments obtain access to email (subpoena of the service provider and straightforward interception of the mail as it is transmitted). Combine that with a webmail service like Gmail where the company providing it has a very real incentive to prevent code injection, and with browser vendors being exceptionally fast at finding and patching exploits, and it's hard to say that this isn't far better than nothing at all.
The US government creating a secret law that authorizes a secret court to order Google to siphon all of its cleartext data to the NSA is also a bit pessimistic. The value proposition of the featured plugin is that it protects you from Google snooping on what you do through the means of technology. While I am very glad there is a discussion of the subject, I am saying that the technology the plugin uses is fundamentally flawed and can never be fixed. Because of that, it provides no real security. It is in the same league as setting the root password on your server to "root" and changing the sshd port: obscure but not secure.
