I have anonymous access granted globally using default anonymous role permissions
(repository view * all browse & read access)
I have a hosted docker registry with the anonymous access disabled.
Users are able to pull images from the registry while being unauthenticated.
As a work around i created a new anonymous role, I granted read&browse access to the new role to every repository except the hosted docker registry.
I confirmed that unauthenticated users are no longer able to pull images from that registry.
for whatever reason, it appears that the global anonymous setting is taking precedence over repository configuration which is not intended based on the document