Create and save should sanitize input object the same way set() does with strict mode off.

[sgpinkus]

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
save, create, set work differently with strict: false.

If the current behavior is a bug, please provide the steps to reproduce.

Test script

const mongoose = require('mongoose');
const { model, Schema } = mongoose;

var TestSchema =  new Schema({
  text: { type: String, default: 'text' }
}, {
  strict: false
});
TestSchema.methods.someFn = function() { console.log('hi'); }

var Test = model('Test', TestSchema);

async function main() {
  await mongoose.connect('mongodb://localhost:27017/test', { useUnifiedTopology: true, useNewUrlParser: true });
  await mongoose.connection.dropDatabase();

  var unTrusted = { someFn: () => console.log('pwnd') }

  var x = await Test.create(unTrusted);
  await x.save();
  x.someFn();

  var x = new Test(unTrusted);
  await x.save();
  x.someFn();

  var x = await Test.create({});
  await x.set(unTrusted);
  x.someFn();
}

main()
  .then(() => process.exit())
  .catch((e) => { console.error(e); process.exit(); })

Output strict: false

pwnd
pwnd
hi

Output strict: true

hi
hi
hi

What is the expected behavior?
Create and save should sanitize input object the same way set() does, and the same as in strict mode.

What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
v14.18.1

> require('mongoose').version
'6.0.13'

> require('mongoose').version
'6.0.13'

[sgpinkus]

Thanks @vkarpov15.