Seen in Roundcube webmail default configuration (same problem than WordPress default), everything that the user type is by default sent by RoundCube to Google for spell checking. This nor good for the industrial spying nor for private life respect as Google and USA renseignements agencies past and present practices tend to use them, as showned by Edward Snowden.
Example for version 1.0.0:
roundcubemail-1.0.0/config/defaults.inc.php
In previous versions, that was in main.inc.php.dist (that display default values), so you need to cp it to main.inc.php and change those values, for obvious security purpose:
roundcubemail-0.x.x/config/main.inc.php.dist