The sub in the access token is typically the application username (coming from the application user profile), but with a custom authorization server (such as the one called default) you can modify this claim to suit your purposes if you want a different value in the sub claim. So with the default claim expression, it is possible that the value could change if the user’s application profile changes (which could be caused by their email with Okta changing).
I should mention that while the ID token stores the user’s Okta ID in the sub claim you will ALSO find this value in the uid claim within the Access token, so you don’t have to do anything special to get this value in that token instead. Details about the Access Token payload here: OpenID Connect & OAuth 2.0 API | Okta Developer