This is general, since I have no personal knowledge of Spark or Readdle.
Encryption is very hard to get right and even the NSA messes up. Small companies can potentially have a very hard time of it unless (and sometimes even though) their primary product is security, such as password managers. It’s not enough to use well regarded open source encryption modules, because the interactions between various modules is just as critical as each module. Encryption routines written from scratch by non-specialists tend to be disastrous. Unless a company has a third party audit done and releases the full results (good and bad) publicly, there’s no reason to expect that the company did it right, especially for something as critical as mail–take over your mail account and it’s suddenly much easier to take over your store and bank accounts; read your company’s email headers and they can much more easily phish your coworkers to deploy ransomware.
Many email services now allow or require separate passwords for each client on each device. These limited passwords definitely improve security, and if your email services provide it as an option you should do it–even though it will probably prevent credential syncing from being useful.
Tokens vs passwords–tokens may prevent complete account takeover (changing your password to lock you out) but they’ll still let a bad guy read enough of your mail to cause you plenty of harm.
It’s worth noting that if you have multiple accounts that include work accounts, it may be actively prohibited to use use anything that would transfer credentials or any part of email messages to a third party server. Don’t do this for any work account without checking with your IT security people–it could easily be a firing offense unless the employer has a special agreement in place with the mail service (in which case there will almost certainly be a special way to log in).
[If you have accounts (including Apple IDs) that let you create a recovery email address, you should do that. It’s good insurance in case someone tries to, or does, take over an account. The recovery email should go to the most secure email service you trust, and you shouldn’t use that account for ordinary mail. I have a ProtonMail account (in Switzerland) that I use only for recovery. It’s one of the most secure mail options available, partly because it’s all webmail, no clients need apply. You can also (and should) set up the second password. That way the primary password logs you in, and the second password, which never leaves your computer, decrypts the mail messages. They have a free tier that’s more than adequate for the purpose.]