After a stable release of Debian is made, future package updates will
come from the stable-updates suite (e.g. bookworm-updates in the case
of Debian 12). These updates will in most cases contain the same version
of the software from stable suite but with a fix for one or more
security bugs built for it.
In the concrete case of rsync as recently discussed on this list, the
*Debian* package version as reported by dpkg would be 3.2.7-1 when it
was originally installed from the Debian 12 release media, but would be
updated to 3.2.7-1+deb12u2 through package updates that came via the
bookworm-updates suite in your sources.list. All the time, the actual
program is going to report 3.2.7 when you type "rsync --version",
because that is what it is.
When you install Debian it usually enables security updates via an
-updates suite, so every user of stable should be getting security
updates.