I know that the public key gets exposed to the blockchain when a person sends a transaction to another address but does the sender only get exposed or does the address receiving also get exposed?
It depends on the address (better said output script) type you are sending to. The very old type that is no longer in use called P2PK is directly sending coins to a public key hence the receiver's public key is already revealed. The new types P2TR are also revealing a tweaked public key of the receiver.
The sender should always provide their public key when they are sending coins using an unlocking script that has any of the checksig operations.
How can you derive a public key from a transaction ID on the blockchain if this is hidden and only created at generation?
The transaction as I explained above should contain the sender's public key in its scriptsig or witness. You just have to decode the raw transaction bytes to extract them.
I recently found out that you can check the public key which ties all of the addresses that were created on generation of the wallet and shows change addresses but this is not obvious on the blockchain explorers and requires you converting the public key into a different format to check.
It sounds like you are referring to
master public key that deterministic wallets use. It is not something you reveal to the public so it can not be found on a blockchain explorer. It is something the wallet can use to derive child public keys from if they are not hardened. You can read more about it in BIP32
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki