IMHO, for what it's worth, this is why I would never use Mailbox.
On the HN thread for the blog post announcement yesterday, tptacek said "I don't care who the company is, or how trustworthy you think they are: avoid giving third parties credentials to your inbox."
I would agree with that above statement - whether it's a company with a good reputation for security or a bad one (or even a nonexistent one), that's way too much power to give to any third party.
Remember that when we talk about security being about trust, it's not only about trusting their intentions, but also their power and ability. Mailbox has access to inboxes of thousands of people, some of whom have incredibly valuable emails in their inbox. Combine that with the number of services that use email as a means for authentication, and you have an incredibly attractive target for an attacker.
For what it's worth, I should mention that I've been working on a self-hosted product that provides the functionality of Mailbox/Boomerang, but without the privacy and security implications of using a third-party: https://github.com/ChimeraCoder/go-yo