Presumably that is based on his assumption that once the web app receives an email via https and it is to a gmail user, they don't send the message via email (i.e. it never travels over an insecure channel). It may be a reasonable assumption, but seems a little strange to boast about exactly how secure it is.