The release notes (https://docs.mongodb.com/master/release-notes/3.6-compatibility/#bind-ip-compatibility) explain to the reader how they should enable additional network interfaces (rather than just localhost) when upgrading to 3.6.
If the reader hasn't first turned on security and created username/passwords then this could open them up to unauthorized access.
It would be better to add a warning that they should enable security (if they haven't already done so) before removing the localhost limitation.