Create a docker group repository, and put a docker hub proxy repository in this group.
Disable anonymous access in Nexus 3. Then create a test user, and grant them read access to the docker group repository, but not to the docker hub proxy repository.
They will not be able to pull any docker images through the group, they'll get a 404 response every time. If you grant them direct read access to the docker hub proxy then requests through the docker group repository will start working.
I also tested this scenario with Maven repositories, and for those transitive privileges worked.
I've attached a support zip file with my setup.