It’s not a bad thing, but the reassurance it provides is extremely tenuous in a situation like this. You have no way to know if the published source corresponds to what’s running on the server. There could be a string of independent audits praising the security of the published code, while the real source is full of files like forward_plaintext_to_nsa.cpp.
I’m not saying it’s not worth using “secure” mail services, because even if there’s only a 10% chance they’re really resisting surveillance, that’s 10% more than you had otherwise. But it’s important to recognise that without end-to-end encryption, you only have your ISP’s word to go on.
