Where is the key kept then? One possibility, the user has to know it, at which point we're back to the fact that users dont seem to want a password for their email app (again, happy to see an interesting post on the generalities of email app security). The other approach is to store it somewhere on the phone, at which point connecting the phone to a computer as you describe is still an attack vector; you just need to find the key.

Of course, I am not highly versed in security, so if there's another option I'm interested to hear it.