Currently, a pipeline can specify any docker images and Nextflow will pull them.

If an enterprise installation of Wave is able to restrict container registries, then Nextflow pipelines can effectively be locked down. If someone ran a pipeline that had docker images sourced from an unknown registry, Wave would reject the request and the Nextflow run would fail with an error.