My recommendation is to program as if you used a statically typed language. In your head, and in your documentation, have a fixed type for each variable, function parameter and return value. And don't rely on conversions.
I draw the line at "this parameter is a number or a string containing a number". Just constrain it to a number, and pass parseFloat(str) if you have a string.
And it pays off to be very clear about "string or undefined", or "string or null", or "string or null or undefined". Don't be tempted by shortcuts with == or "Boolishness".
Of course, getting the types right is only one part of safety. You still have to worry about cross-site risks, cookie theft, injection attacks, etc. That is independent of the language.