In reply to @ravenclaw900:matrix.org
I think that they only need to have the master public key, as they are subkey pairs, as in part of the main key.

No, cryptographically speaking they only really need to know the keys that are actually used.
I can send someone the public part of my signing key (but none of the others) and sign to my hearts content just fine.

However, a subkey on its own is not to be trusted.
So you tend to send them as a "bundle" most of the time.
This bundle contains all public keys (you can ommit the public keys that won't be used for your action tho if so desired).
Your certification key (it's public part ofc) is the important one as that is basically you.
If they trust your certification key and your encryption key is certified with said certification key, then know they can trust your encryption key (as long as the certificate is valid, of course).

You should protect the private key of your certification key at all cost (ofc, protect all of them).
If they hack any of the other keys, they only can use that part to do as they please.
However, if they have the private key of your certification key, they can create new subkeys at their own leasure.

Subkeys are just more localized webs of trust.

So I have been reading about gpg and I think I get it that the master key pair

Due to somewhat offensive nature we call it a "primary key pair"... (just kidding "primary" is in the spec, "master" is just a new term invented later).