No it’s not umbrels “fault” per se, but umbrel can use another container registry.
And i think you’re wrong regarding TOR. Outgoing connections is routed through the default route as far as I can see, which in my case is a VPN enabled router.
In most cases it would route traffic for apt updates etc through your regular router, which can potentially be used to identify your device to your IP.
So now for example, docker can see that my ip downloaded an LTC container image.
If docker hub is blocking VPN ips my guess is that they would block TOR gateway IPs as well (or will start soon), so this could help if umbrel starts fetching images over a TOR proxy to protect privacy as well