How would you identify trust boundaries, data flows, and potential attack surfaces in a distributed system?