I do it! Everything I pull is pinned with sha256 since I use Nix/Kubenix, so I'm required to pin sha256 if I'm fetching from the Docker registry (or build the package deterministically myself.)
The way image signing works with Docker is that there is a signature tying a tag to a sha256. If you use the sha256 directly you get immutable sources, but now your source isn't signed anymore -- how are you sure the hash is correct?