At the moment we have a mix of different methods which can perform unsafe implicit type conversions, without being very clear to the user about what's happening from simple call-site inspection. The most concerning cases are numberInt/numberLong and safeNumberInt/safeNumberLong. These types will coerce a BSONElement of any numeric type into the target type. In the case of numberInt/numberLong, this can have undefined behavior. In the case of safeNumberInt/safeNumberLong, the behavior is well-defined, but still often unexpected.

We also have coerce methods for various output types which will do the same thing under the hood, but are more explicit about what's happening.

We should investigate improvements to these APIs to make the default, intuitive methods safer.