Yes, as Howard says. "Normally" no code ever needs to be written to the code base and should always be read only by the web
server user account,
as per the security documentation.
When you install a plugin, you need to know what type it is since that will tell you into what directory it will be installed. The user installing it has to have the
permission to write to the directory to install it.
If you do this from the command line as sudo or some other privileged user, that user needs to be able to write to the files and to also make sure afterwards that whatever permissions the files ends up with will work for the webserver user to read and use them.
If you do this from the admin interface, in which case it is as the web
server user who is actually performing the plugin install, you will need to make the directory for the plugin writable temporarily, then install the plugin, then immediately make the directory and the new subdirectories and files read only again.
Howard says he would "never, ever" use the admin interface to do this, however the fact is some hosting solutions do not allow any command line or privileged user access to shared servers, and that case your only way to do plugin installs would be via
CPanel or some other tool to set the various proper permissions. (This is also the case in some organizations I work with that self
host where Moodle admins are not allowed command line access to servers.)
Aside from plugin installs, the web server user does not need write access to the Moodle code.