Our documentation (see comments) states that on upgrade / downgrade we need to clear an arbiter's data files. However, this means that if the upgrade / downgrade happens while an election is ongoing, the arbiter may potentially vote twice in an election since its data files have been cleared:

1. We are currently in term N-1.
2. Unplanned election starts - the arbiter votes for Node0 in term N. Node0 thinks it has won.
3. Arbiter binary is swapped out and data is cleared as a part of the downgrade procedure.
4. Arbiter is restarted, and votes for Node1 for the same term N. Node 1 thinks it has won.
5. Now both Node0 and Node1 are the primary.

If this scenario is possible (please investigate), it could lead to data corruption. For example, the two primaries can write oplog entries potentially using same opTimes even though the contents of the oplog entries are different, breaking any mitigation strategy involving rollback.