Does having a Docker image, that unless you push back to hub.docker remain private? Ideally I would like to make docker image that is accessible from within client’s firewall and inaccessible anywhere else?

Yes, you can absolutely make Docker images which do not ever leave your local computer or a corporate firewall. docker build will images local to the computer where the build is run. You can then docker push them to a local registry (e.g., docker push internal.corp:5000/me/foo) or docker save them and docker load them to wherever you want to run them without going through a registry.