Here is a small example application architecture, inspired by a real world situation. Try to understand all the moving parts and the different parties (or teams within organisations) that control them and what kind of risks that implies.

As a second step, you can look at all the control boundaries, and see what data would be moved across them, and how that dataflow is controlled. Typically, there is some kind of identity involved. This identity could be a person, but it could also be an IP address or a server identity.

Part of risk assessment is identifying the control and the trust on which it is based.