Depending on the attacker, they probably won't care much about the meta data for your transactions
If someone was targeting you specifically, because you are a high profile target, then they may want this information as a part of their reconnaissance.
Assuming you are not a high profile target that needs to be concerned about attackers reading your emails, you don't have to worry too much about the emails being sent in clear text. Assuming your bank is not sending your personal information or credentials. This is more of a privacy concern than a security one.
The attacker may be more interested in intercepting One Time Passwords (OTP)
If you choose email and the attacker hacks your email account, they may set up forwarding from your email account to one they own, along with rules to "Move messages from X Bank to Trash". They would do this to get any one time passwords sent to that email address without you noticing.
Don't reuse password between your account, and set up multi-factor authentication if your email service supports it.
SIM Swapping, though more rare, poses the same threat
Using a mobile phone for communication with your bank, would require the attacker to gain control of your phone's number. Note, them stealing your physical device is not the same thing, in that case you can have your carrier prevent messages from going to that SIM/Device. SIM Swapping is technique where the attacker convinces your cell phone carrier to forward messages to a new SIM/Device--details of this attack are outside of the scope of this question. There are more details on that here.
Push notifications cannot be forwarded like the other two, but also would not be used for OTP
Push notification would not (read: should not) be used for One Time Passwords, because that would be assuming the device is already trusted, thus defeating the purpose.
The attack vector you should be most concerned with is Phishing
Which ever one you decide on, it is important not to trust notifications that come in the other forms (i.e. if you subscribed to email notification, don't trust text notification and visa versa).
Also, each one is susceptible to phishing in a different way: email will be sent to you from weird addresses pretending to be your bank, same with text messages, push notifications may be sent from another app pretending to be the banks app. Each one of these phishing vectors require you to take certain precautions:
- Always confirm the address of the sender, before clicking on links or downloading the remote content of an email
- Do not reply with your credentials or personal information in any correspondence with your bank, via email or text (your bank should not ask you to do this for any reason)
- Don't download apps you don't trust
- Don't visiting websites you don't trust while logged in to your bank
- Research Phishing and how to prevent it, because it is mostly about being cautious, which judging by your question you already are
All three have vulnerabilities
It seems you already know this, but no method is perfect, and each one presents its own risks. It will be up to you to decide which one you are most comfortable with, and be alert against phishing attempts.
