A valid point. In this instance, I know because we use Google Apps and store most other things in it. The email is in Gmail, so the difference isn't really that great when you think about it.
As far as I can tell, there is no way to guarantee a 'secure' delivery of documents via email. SMTP might be used rather than SMTPS and you don't always know what servers handle the email when in transit.
> As far as I can tell, there is no way to guarantee a 'secure' delivery of documents via email.
Well, if neither of you forwards to an external account, gmail->gmail email should be pretty "secure" (against other adversaries than Google, those that have hacked one of your Google accounts, and those that Google cooperate with (if any)).
It's not clear by what you write if someone@example.com is emailing you@gmail.com (And so should know that Google knows all the things), or if you meant that you both use Gmail - or if you use Google Apps, so you already give all your emails to Google, but not in a way that is transparent to the sender (however, if the sender doesn't use any kind of end-to-end encryption...).
Not meant as a nitpick -- just pointing out that for some values of "secure" using a single provider for email can be "more secure".
I suppose the "enterprise" alternative would be to have accounts in cross-trusted AD with client-certificates and use S/MIME for client-client end-to-end encryption. In which case (AFAIK) by default, there'd be the possibility of keeping an escrow key.
(The open alternative would probably be to just use Gnu Privacy Guard)
