Upgrade in the operator is controlled by a CLI flag.
For some reason if the CLI flag isn't specified then upgrade defaults to enabled.
That means everybody should be running with the upgrade disable flag.
Unfortunately the operator.yaml file we've shipped with 1.0 does not have the flag set, so everybody who is deploying the operator will have the upgrade feature enabled.
Clearly this is a big problem as it introduces a lot of risk of hitting issues in every customer deployment (at least those who follow our docs!).