I tend to think it is more a matter of using a mail host that you trust. As in most of the cases where I've used gpg/pgp, it was server-side. I mean really, if you can't trust them with your keys, why would you trust them with your mail?
It is less a matter of trusting the host, and more a matter of trusting one's government. Hosts can be compelled to not provide any notification to you what they turn over.
As to trusting a host with my provider, I worry less about that - that's what GPG is for (when both parties have the keys, not the server operators).
The only case where I could see round cube implementing gpg fully on server side is where the user is also the operator. That still leaves keys being stored on a multiuser server, but at least he'd know if he was served an order.
Oh well, off my soap box. Implement what you want. I just hope any README or whatever includes some paranoia.
List info: http://lists.roundcube.net/dev/