As stated by Samuel, the code that a validator runs to check whether a transaction is valid is sent and stored in the transaction body as an input.
So all scripts, be they Plutus or Native scripts, get stored on chain when any UTxO's locked by the script are consumed (though they are not part of the UTxO ledger state, but stored in another part of the ledger) and are retrievable through the chain-indexer, Blockfrost or even in some cases, from some blockchain explorers.
For example, you can use the Blockfrost API "Script CBOR" to access the script CBOR. Here's a link to understand how to do this.
Additionally, if you just look at a sample transaction on CardanoScan itself, for example this transaction claiming an UTxO for the simple "Always succeed" plutus script address [3], we can see that the datum in CBOR is 182a.
Using an online tool caller cbor.me we see that the datum/redeemer was 42 (182a in CBOR hex). The contract bytecode is also listed there, but this is not human-readable plutus core code.
Now for the off-chain part that safely can construct transactions for users, that needs to be distributed by the writer of that script. I know that IOIOG (also known as IOHK) is building a Dapp store to safely distribute such offline code.
And lastly, you are correct! The plutus script hashes to the address, so if one would change the code, a new address should be used. Note however that complex Dapps may use several contracts, for example look at the Occam dex that they showed off [5] They used 3 contracts to implement certain behavior. So over time use cases may change, and other addresses might be used.
EDIT After the Vasil HF in the Babbage era, transactions can witness the scripts by referencing them in other UTxO's that may not be consumed in the transaction. This way, scripts do get stored on the active UTxO graph part of the ledger. These referenced validators will also become available inside plutus (6).
