If you are using IMAP to connect to the remote server you will have the same result by using webmail. Everyone will be able to view the same folders.
Webmail is not directly related to email security (On the contrary, one could say that webmail is a rather unsafe way to read emails).
Email security depends on the following factors:
1. Where emails are stored
2. What form they are in / who can read them
3. How emails travel through the internet
a)Using thunderbird or webmail doesn’t change something at this point.
Do you trust the team that manages the server? The company that hosts it?
b)It is almost certain that the emails you receive are not encrypted(GPG). Meaning they are in plaintext form on the internet.
That means that the management team of the server can read them. That also means that whoever can gain access in an irregular way to the server,will be able to read the emails aswell. Are the disks of the server encrypted? If the police or the employees of the company come and pull out the disks, will they be able to view their content? Webmail cannot add any type of security on these questions.
c)How do you connect to mailserver? Do you use encrypted connection SSL/TLS? That depends on whether the connection is encrypted between the email client and the remote server. If it is not encrypted then any person in between will be able to view your password and your emails as they are being downloaded to the email client. If you wish to use webmail you should be using HTTPS to connect to it.
At espiv we use roundcube for webmail but we encourage the users to use email clients like Thunderbird and download their emails locally on their computer. We also encourage the use of encryption of publickey, and Tor for anonymity.
At espiv we put effort into keeping the emails that we host as secure as possible. We use full disk encryption, we ourselves are managing the machines, that are accommodated in trusty locations. The use ofencrypted connection TLS is mandatory and we verify the encrypted communication between our server and other radical providers (Riseup,Autistici, aktivix, etc.). Especially when it comes to webmail, weare using different ways to try and seclude it, since any form of web application is often the weak point of a system.