You're correctly asserting that a PASETO key is only used for a given version, but from our understanding of this code, it's possible to use a public key as a local key.
The easiest thing to do would be to also check the key object's "purpose" (or type) at runtime.
https://github.com/sjudson/paseto.js/blob/618da178daf5c0049d0e490212861b3debe637ac/lib/protocol/V2.js#L286-L288
You're correctly asserting that a PASETO key is only used for a given version, but from our understanding of this code, it's possible to use a public key as a local key.
The easiest thing to do would be to also check the key object's "purpose" (or type) at runtime.
The updated guidance can be found here: https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/03-Algorithm-Lucidity.md