This is a theoretical question! I have an unknown device powered by 12 V which has an NPN open collector output and is rated for 300 mA output current.

Can I directly connect it to an Arduino using an internal or external pull-up resistor to 5V or 3.3V without risk for the Arduino or the device?

I suspect the answer is yes. The Vbe will be approx. 0.6V. Hence Vcb will never be greater than 4.4V (5 - 0.6) or 2.7V (3.3 - 0.6). Is the thinking correct?
If it is open collector, you will be fine, common GND is needed.

You also have the option of using an optocoupler.

Vcb is irrelevant. There is something from the input pin to whatever drives the base inside the device.
The Collector can be pulled high to 5V, 12V, 9V, whatever. Treat the collector as the output. Connect the emitter to Gnd, and to the Arduino Gnd.
When the device is active, the collector will be pulled low, could be as high as ~ 0.7V (one diode drop again) or more depending on the current flow.  300mA is not much, so it could be lower.
300mA is a maximum rating, you can draw 50mA or 100mA and it would not effect the sensor or your controller.
The pullup resistor sets the current.

The reason for open collector outputs is so you can have the sensor powered of say 24Vdc, which is an industry standard. 
Using the open collector you can connect the output directly to a 5v controller using a pullup to its 5V supply.

Just keep the 24V and 5V supply gnds connected.

