As mentioned in the FCV README, it's only safe to check a featureFlag while holding the global lock in IX / X to ensure that the FCV doesn't transition all the way from upgraded -> downgraded or downgraded -> upgraded in the lifetime of an operation.

This rule isn't enforced / well-known. And so we have a few cases in the code where we check a featureFlag without holding the global lock in IX / X:

• In createCollection, when checking for collection options (makes secondaries crash - SERVER-88964 will fix it)
• In bulkWrite
• In analyzeCmd
  (There might be other cases as well, I haven't checked.)

This means that a node may potentially be in the fully downgraded but allow a command only executable in the upgraded state to run.

Also note that the latter two examples don't seem harmful because the commands don't persist data in a new format. So we might want a way to differentiate between when a command causes data to get persisted in a new format and when a command is cosmetic (like bulkWrite).

It's also worth thinking about what may happen on a sharded cluster if some shards process the command while others reject it.