In this project, even if Google is forced to serve a compromised version of Gmail's javascript they still can't get your key, since it's stored in the browser's localStorage and is private to the extension, where all the crypto happens. All gmail gets is the end result.
So the threat model for this project is autoupdates. Extension autoupdate, chrome autoupdate and OS autoupdate could all compromise this, but that's still worlds better than just sending some different obfuscated javascript in a browser session.
So the threat model for this project is autoupdates. Extension autoupdate, chrome autoupdate and OS autoupdate could all compromise this, but that's still worlds better than just sending some different obfuscated javascript in a browser session.