Is it possible to set-up/configure Docker on macOS so that only either whitelisted registries, or whitelisted images/containers can be downloaded?
You could write your own policies with OPA and enforce them. I never used OPA, but according Docs, the image field is transported to the policy engine and you should be able to use the build-in function
startswith(string, search) to check wether the string for the image starts with the fqdn of a whitelisted registry.
At least it’s worth a try.