Yes, a provably secure system has assumptions about the other systems it uses, and they necessarily amount to "all those other systems work correctly and if they don't, it's their bug, not ours."

Provable security means no security-affecting bugs. Precious few software is written to be provably correct (rather than just proving the underlying algorithm correct). None of it runs on proven-correct operating systems with proven-correct bioses, drivers, and chipset ROMs all the way down to the network card and hard drive microcontrollers, because such mythical beasts don't exist. (And these microcontrollers have long been general-purpose computers capable of hosting malware vectors.)

And none of that software runs on provably-correct hardware, which doesn't exist either: software can be proven correct because it's an algorithm, but how can you prove the perfection of a physical device like a CPU, the absence of physical implementation errors like this rowhammer bug which aren't reflected in any design documents?