Comment by cpuguy83

None of this has anything to do with Dockerfile but the tools used within.

Nix provides the tooling to do reproducible builds. Meanwhile docker is a wrapper around the tools you choose.

Also just to note, docker does allow you disable network access during builds. Beyond Dockerfile, which is a high level DSL, the underlying tech can do this per build step (in buildkit LLB).