1. Where do I configure the spam score levels that determine the severity of the spam classifications?
In Amavisd config file, majorly /etc/amavis/conf.d/50-user on Debian/Ubuntu.
2. Are all spam handled according to my description above or are mail with a very high spam score simply dropped (not forwarded to user mailbox) ?
Delivered to user's mailbox by default, no email will be dropped/discarded by high spam score.
I would like all mail that are classified as spam (severe and not so severe) to be simply tagged as spam and be delivered to the user mailbox, where they can handle / move it themselves via filters to their preferred folders.
3. What do I have to change from the default setup to ensure all spam is treated as per my preferred setup?
Then don't change anything. Default setup is working as you expected.