The right answer is to use your own repository and pull those images in-house where they can be scanned and verified, I.e. , run a container from that image, scan it using security tools, then action from there.
This is why we have a local registry and for any container that is goes to testing or production or is needed for builds should be build-able from source.
We still need to figure out how to best tackle the issue of online repositories being taken down or vanishing. For now we run apt-mirror.
The same thing you do with any 3rd party dependency -- save a copy of the source. Pull from DockerHub all you want but keep the images and their sources in a private registry and deploy your actual services from that.
What will happen if public container images are no longer available for building your application?
Your in a for a world of hurt if a major dependency of your application doesn't work anymore because someone pulled the image.