That script is only revealed when a transaction is made from that address.

To send bitcoin to an address, you do not need to know the public key, and the public key is not part of the transaction. All you need to know is the public key hash (for P2PKH addresses), which we communicate with each other in the form of addresses. When you send a bitcoin transaction to an address, your wallet extracts the public key hash from that address and includes it in the script along with some other generic instructions known as opcodes.

To spend bitcoins from an address, you need to provide the public key which matches the public key hash in the script. The public key you provide is hashed, checked against the public key hash, and then the signature you provide is checked against the public key. All of this is stored in the transaction data, which is broadcast to the blockchain.

So, if an address has only received bitcoin, then the public key will still be known only to the owner of that address (unless they have shared it with other people). As soon as you spend bitcoin from an address, then the public key is written to the blockchain and publicly viewable by anyone.