As part of a cleanup pass I decided to whizz through the internal data section (0x40-0xc0) and update whether these are 8- or 16-bit quantities by examining references.  If I see a 'ldd' or 'std' then I infer that they are 16-bit.  Along the way, a few curiosities appear:

There's a bunch of locations that appear to be 'flags'.  However, they aren't typically packed bitfields, despite being capable of such.  A bit of a waste of space, but I suppose there was space to be wasted in this minimal product.

One thing that caught my eye was location 0x5e.  From the cross references I see a 'rol' instruction:

Address           Text
-------           ----
sub_E5A0+6        std     unk_5E
sub_E5A0:loc_E5A8 ldd     unk_5E
sub_E5A0+1B       std     unk_5E
sub_E6BD+11C      ldd     unk_5E
sub_E6BD+128      ldaa    unk_5E
sub_E6BD+151      ldaa    unk_5E
sub_E6BD+16F      ldaa    unk_5E
sub_E84F+3        clr     unk_5E
sub_EA29+49       rol     unk_5E

I'm going to assume this is a 16-bit location for now (it's not uncommon to mess with high/low bytes separately, so I think the 16-bit assumption prevails.  For now.)

The first routine in the list is interesting:

E5A0             sub_E5A0:
E5A0 BD E5 90        jsr     sub_E590
E5A3 CC FF FE        ldd     #$FFFE          ; 16-bits, bit 0 low
E5A6 DD 5E           std     unk_5E
E5A8             loc_E5A8:
E5A8 DC 5E           ldd     unk_5E
E5AA 1A 83 FF FF     cpd     #$FFFF
E5AE 27 74           beq     loc_E624
E5B0 B7 80 00        staa    $8000
E5B3 F7 C0 00        stab    $C000
...

The thing that is interesting to me about this is that the value starts with a single 0 bit, is 16-bits long, and the high byte is written to 8000 and the low value written to C000.  As mentioned before, I'm pretty sure that is not RAM and is likely memory-mapped stuff.  This device is pretty simple electronically, and I know there are two 74374 latches to make 16 keyboard columns.  The 'rol' reference to 5E would be involved in walking the bit through a scanning process.  And the subsequent byte 0x5f also has a rol reference.

All of this is suggestive that 8000 is the 'high' latch and C000 is the 'low' latch.  I don't have the physical hardware, but I'd wager that buzzing out the 74138 would show that it does decode addresses going to those external parts consistent with this mapping.

But what about bit 2 of 8000 and the LCD?  I think it is fine for it to serve double duty.  Having that line toggle while doing keyboard things won't affect the LCD because it is is not being selected via the PAb7 EX line.  And maybe there are other things serving a similar double duty.  As mentioned, I don't know where the output lines for the keyboard emulation come from.  Maybe here on different bits.

What's also interesting is that 8000 is usually written, but one and one time only read.  C000 is only ever written, never read.  This suggests that 8000 might also serve as the 74573 keyboard row register.

All this is hypothesis, based on reason rather than measured facts.  But intriguing....