Yes but the server itself has full visibility on the message while it is handling it. It can scan it for viruses, parse it for ad insertion, feed it to train an LLM, just keep a copy of everything, whatever.

yeah... that's why it's important to be able to trust your email provider... I assumed you meant anyone passing along the message, like a router, or rogue ISP. I was more going for the idea that you can make SMTP secure from sender domain to destination domain. If you don't trust your host, nothing else really matters, in all cases.