They mean that encryption/decryption takes place on the source and destination devices, so in theory the servers and attackers in the middle can't read the traffic.

In practice, whoever holds and applies the keys can read the traffic. So if your end device is using code from the server to do this, potentially the server could give you malicious code and read your traffic. The solution is to have the encryption and the storage/transport done by different companies or projects. Use an encryption package such as PGP or Mailvelope, and then a service such as normal email.