You could perfectly well trust that they're earnest without trusting that they're competent. If that's your position, which is resonable, given enough information you can alleviate some of the competency concerns.
That said, given the landscape they're working in, it's hard to trust any commercial entity is genuinely willing and able to keep your communications secure.
Transparency in how you secure your shit is basic diligence, then the user trusts that that is accurate and properly implemented. I'd never use a service that didn't do that; just as I have a firefox addon (CipherFox) that shows what cipher a site is on, so if I see, for example, RC4, I know it's secure in name only.
You could perfectly well trust that they're earnest without trusting that they're competent. If that's your position, which is resonable, given enough information you can alleviate some of the competency concerns.
That said, given the landscape they're working in, it's hard to trust any commercial entity is genuinely willing and able to keep your communications secure.