I can assess the behaviour of the two web interfaces and assess those aspects of security without source code. Or simply review past records (see below).
I can assess some aspects of infrastructure, SMTP, IMAP, and password management.
Much security testing is black box, even when the source code is available.
Source code is handy for static analysis, which is potentially the strongest method, there is only one bit of static analysis of Roundcube I could find mentioned publicly (PHP has relatively poor static analysis tools compared to some other languages), and the bugs being reported in RoundCube don't look terribly sophisticated or subtle.
Google on the other hand clearly has far more developed security processes, both from competence of deployment, measures of availability, and the low number of basic vulnerabilities being found across a huge web front end.
On this basis I'm reasonably confident in my assessment.
In fairness because Google do so many other things, it is plausible there are other issues in their environment that could potentially affect an account, but if the account was just for occasional emails this is unlikely to be a big risk. Ultimately you only need one hole that's exploitable.
https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.htmlhttps://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.htm
One important lesson I've learnt is to test yourself (never assumes others have, or did it right). You may not find issues, if brighter folk have been there before (although at work we had 3 issues drop out of widely deployed Wordpress plugins by running vanilla Burpsuite scans over websites with no particular skill on our part, clearly many eyes do not look at Wordpress plugins, if shallow bugs remain), but the very process of looking will tell you if this is a sendmail or a Postfix, a bind 8 or a bind 9.
Although I note our static analysis tools at work give Postfix a "B" (when most of our code gets an "A"). Although I suspect that is more a question of style and complexity than security, since Postfix has been through a lot of static code analysis tools over the years.
