Afaik images from the local cache are only used as a fallback. Usualy when the swarm scheduler commands a task to create a container, the image is allways pulled - though from my observation the tag will be stripped in the local cache - and then the container is created.
This is neither restricted to Dockerhub as image repository, nor for the latest tag. If a different image repository is used, the full qualified domain name is used in front of the repo-group. If tags are not set to be immutable and a new image is pushed for an existing tag, the tag will be linked with the new image id. Thus, if you manualy pull the image or swarm pulls the image implicitly, the new image will be pulled. Though only for manual pulls the tag will be changed to point to the new image id.
If you create your own images and want to run them in your swarm, you might want to setup your own private repository. Gitlab, Artifactory and Nexus have a build in Git Repo with https support and authentification. There are plenty of other docker repositories to pick from.