Because the address is posted in plaintext in the text box. You are trusting that they are *only* encrypting your message with the recipient's public key, and not transmitting it to their server (google the Hushmail steroid vendor scandal as an example of how someone got pwned by server-supplied code; this isn't theoretical). Encrypting on your own solves that problem. I'm not talking out of my ass either. Read the long discussion here about why relying on server-supplied code is bad: http://dkn255hz262ypmii.onion/index.php?topic=131274.0