It is pretty well impossible to protect the internals of a docker image. A docker image is essentially a tar file and it can be saved to a tar file and extracted.
Remove all shells
> docker exec :id -it /bin/rm -R /bin/*
That gets rid of sh and any bin useful command in linux.