If you are super duper serious about securing yourself, recovery email is non-viable. Every piece of data is a potential vector towards exposure.

Which comes directly into the problem of security vs convenience.

Of course, but you can't blame Proton that you chose to prioritize convenience over security. If you don't want Proton to know who you are, don't use that feature.