The problem being that the LIST routine should handle a comment like a string (which is how it is parsed and stored: a comment is essentially an unquoted string extending to the end of the line), but doesn't bail out of keyword expansion, whenever it encounters a REM token.
[Edit]
Coincidentally, a shifted "L" is PETSCII code 0xCC. Which is just one after the highest available token in Commodore BASIC 2.0 / V.2. (The last one being 0xCB, `GO`.) Therefor, a lookup into the keyword list will yield the terminating zero-byte, which probably causes the problem. (E.g., by defeating what was intended to be an unconditional branch instruction.)
(In BASIC 4.0 for the 40xx/80xx PETs, this is actually a valid token, namely `CONCAT`, which is expanded by LIST without further issues. Meaning, this kind of LIST protection can be broken by simply loading the program on one of the later PETs.)
That's why I said "at least on the C64". This particular bug probably also happens on the VIC-20, but I don't know if PET BASIC 2.0 is the same or not. I'd also imagine the "protection" would break if loaded on BASIC 7 or 10 (although 10 was never finished, but it was based on BASIC 7 AFAIK, so there's that).
I had a cursory look at it: there's no check for REM, of any kind, but there's, of course, a check for quoted strings. For any tokens, an offset count is calculated by subtracting 0x7F from the token and then a loop starts searching for set sign-bits in the keyword list, decrementing the counter each time, it finds one. If the counter is zero, we must be right at the keyword, we're looking for. – But in those cases, where we are not…
For values larger than 0xCC (shift-L), the routine actually wraps around. E.g, shift-M is listed as FOR (0x81), shift-N as NEXT (0x82), and so on. This is, because the keyword list is exactly 256 bytes long (including GO and the terminating zero-byte, like on the C64) and is inspected by an indexed load instruction. So the index register just wraps around.
(BASIC 4.0, on the other hand, has to deal with a longer keyword list anyway, so it uses a more complex method to read the list, involving a pointer. Thus it happily spills over into the list of error messages, which follows immediately after this and happens to be encoded in the same way. Therefor, it will expand any excess-tokens into error messages. I guess, this will be the same with BASIC 7, and so on, if they are anything like this.)
