The EFF has issued some instructions enitiled "How To Turn PGP Back On As Safely As Possible".
The emphasis there is mine, and that qualifier worries me. Realistically, what risks do I run if I follow their instructions?
And will it help me if I follow them & the sender or recipient of my emails does not?
You are correct in that there are still risks involved.
First, there are the risks that you can eliminate by following the recommendations from EFF. Only use an email client that has been properly patched. Make sure you have actually updated it to a safe version. Preferably, don't turn on rendering of HTML emails.
Then, there are risks you will have to accept if you want the convenience of decrypting emails inside your email client. As highlighted in this answer, the people behind EFAIL discovered multiple exfiltration mechanisms, some not related to HTML. As always, there is a risk that there are more clever tricks waiting to be discovered. In fact, the cat and mouse game is already on. According to EFF, the first Enigmail fix that was published was soon circumvented. Hopefully, future fixes will have a longer half life.
That's why it's safest to just use a program separate from your email client to do the decryption. Unfortunately, while it's safe it's not a very practical option. It seems that EFF thinks the security versus usability contradiction at the core of PGP can not be solved, and that we need something better. From your link:
But if we’re to continue to use and recommend PGP for the cases where it is most appropriate—protecting the most vulnerable and targeted of Internet users—we need to carry on that conversation. We need to cooperate to radically improve the secure email experience, to learn from what we know about modern cryptography and usability, and to decide what true 21st-century secure email must look like.
It’s time to upgrade not just your PGP email client, but also the entire secure email ecosystem, so that it’s usable, universal, and stable.
