Assumptions allow you to document constraints like “the backend is secure”. Assumptions can also affect the risk calculation: for example, you can specify that the attack feasibility is always “very low” and connect that assumption with threats that you have identified for the backend.