A user needs "something" to access their email. That could be a combination of webmail, email client, app, and/or a custom mechanism. If that's not secure. game over.
Also, what's your definition of secure? Which features do you care about? Email encryption? Privacy and not being tracked?
I believe there isn't an answer to this question. It's not provider vs. client, but the implementation end to end.