Well if you don't want to let devs run arbitrary code off the internet on their machines, that cuts off more than Docker Hub, it cuts off almost every package manager under the sun.
If I had to work under such a restriction, I would ask for a cheap spare machine, running on a guest network and hosting no sensitive code, where I could download and try random packages off the internet before I could submit them for audit, approval and vendoring.
If I had to work under such a restriction, I would ask for a cheap spare machine, running on a guest network and hosting no sensitive code, where I could download and try random packages off the internet before I could submit them for audit, approval and vendoring.